[capsicum] Capability Mode (fwd)

Robert Watson rwatson at FreeBSD.org
Fri Dec 17 19:51:16 UTC 2010

Dear all:

Some of you will have spotted Cambridge's "Capsicum" paper in the USENIX 
Security proceedings this summer, and presented previously at the Cambridge 
and Ottawa FreeBSD developer summits.  We are in the throes of preparing basic 
kernel support for Capsicum to merge to the FreeBSD tree.  This work will 
enter the tree in a number of phases -- some will require more architectural 
discussion in the FreeBSD community (such as process descriptors), but other 
bits (such as capability mode) we'll assume people have been following along 
and plan to merge unless anyone screams.

If you're interested in the topic, and in particular, interested in helping us 
review and test Capsicum patches as they head in the direction of 9-CURRENT, 
please join us on the cl-capsicum-discss mailing list.  You can learn more 
about Capsicum, including finding papers and talks to date, and a pointer to a 
recording of the USENIX Security talk on the topic, here:


You can subscribe to our mailing list here:


Over the next few months we plan to kick off a larger project to explore 
applications of Capsicum in other parts of FreeBSD than the ones explored to 

A hand-wave at a general schedule for merging various new TrustedBSD-related 
features to FreeBSD can be found here:


It is very much a hand-wave, however!  (It seems clear already that capability 
mode support might well slip to January)

Robert N M Watson
Computer Laboratory
University of Cambridge

---------- Forwarded message ----------
Date: Tue, 14 Dec 2010 21:55:22 -0330
From: Jonathan Anderson <jonathan.anderson at cl.cam.ac.uk>
To: cl-capsicum-discuss at lists.cam.ac.uk
Subject: [capsicum] Capability Mode

Here's a patch against -CURRENT (r216376) that is the first step in a multi-phase programme:

1. Capability mode with a restrictive syscall mask (no openat(2) functions, etc.)
2. Capabilities
3. Deep semantic constraints which allow openat(2), etc. - once we've convinced ourselves that our changes to namei() and friends don't introduce race conditions w.r.t. rename
4. Process descriptors - once we've convinced ourselves that we haven't broken e.g. the garbage collection of UNIX domain sockets

Anyway, please find the proposed first patch attached.



More information about the freebsd-security mailing list