
Capsicum: Practical Capabilities for Unix - logicprog
https://www.cl.cam.ac.uk/research/security/capsicum/
======
dang
A small thread from 2010:
[https://news.ycombinator.com/item?id=2043933](https://news.ycombinator.com/item?id=2043933)

------
dredmorbius
ELIF / practical applications / examples?

~~~
logicprog
Haven't read it yet, but here's a link that might have some examples:
[https://www.links.org/?p=1242](https://www.links.org/?p=1242).

~~~
notaplumber
And here's the OpenBSD pledge(2) patch for bzip2, for comparison. But
similarly it already prevents a compromised bzip2 process from accessing the
network, executing arbitrary commands, etc. And when used in a pipeline,
accessing the filesystem. This port might actually be a great candidate for
unveil(2), if anyone wants to help send a patch. :-)

[https://cvsweb.openbsd.org/cgi-
bin/cvsweb/~checkout~/ports/a...](https://cvsweb.openbsd.org/cgi-
bin/cvsweb/~checkout~/ports/archivers/bzip2/patches/patch-
bzip2_c?rev=1.6&content-type=text/plain)

And as is typical for FreeBSD, ~7/8 years later these "practical" Capsicum
changes were never merged into FreeBSD. :-(

[https://github.com/freebsd/freebsd/tree/master/contrib/bzip2](https://github.com/freebsd/freebsd/tree/master/contrib/bzip2)

~~~
anaphor
Pledge is different from Capsicum though. Pledge is just your typical Unix
style "capabilities", whereas Capsicum is object capabilities (i.e.
[https://en.wikipedia.org/wiki/Object-
capability_model](https://en.wikipedia.org/wiki/Object-capability_model) )

If you read the list of features, it's very clear that they are _not_ talking
about what most people think of when they hear "capabilities" in the context
of operating systems:

> anonymous shared memory objects - an extension to the POSIX shared memory
> API to support anonymous swap objects associated with file descriptors
> (capabilities)

File descriptors are a form of object capabilities.

~~~
notaplumber
Capsicum is dead outside of FreeBSD, the Linux port went nowhere, and in the
handful of places where it is used in FreeBSD base, it's not even utilizing
capabilities to its full potential. It wasn't even enabled by default for many
years, until 11 or 12?

Meanwhile pledge(2) is protecting a large percentage of the OpenBSD base
system, something like 85/90% of all programs. And unlike Capsicum, it is
"practical" for developers. And important ports like archivers, and web
browsers. The Capsicum project never shipped the much touted Capsicum-ized
chrome, but OpenBSD has pledge/unveil chrome packages by default.

~~~
anaphor
The point is that they shouldn't be confused as having the same goal. The
reason object capabilities are so difficult to integrate is that you basically
have to refactor all of your software to use a different style of programming.
I don't think that means that pledge is somehow superior. They do two
completely different things.

For an example of an active project using ocaps see:

[https://fuchsia.googlesource.com/fuchsia/](https://fuchsia.googlesource.com/fuchsia/)
[https://sel4.systems/](https://sel4.systems/)

~~~
notaplumber
pledge(2), and the traditional OpenBSD privilege dropping model by which
pledge(2) expands upon, is demonstrably the superior model by which developers
can easily understand and use to design secure programs. Simple interfaces
always beat more complicated ones.

