Skip to content

Projects

Jump to bottom
David Drysdale edited this page Jul 11, 2016 · 5 revisions

This is a list of possible Capsicum-related development projects; where possible, there's an indication of where/when the idea came up (CC=conference call, ML=mailing list).

  • Go language bindings [CC:2016-07-08]

  • Create a portable libcapsicum, to provide a standard API but with functionality stubbed out when the underlying platform doesn't support it; this allows application code to get the best that the platform has to offer without portability concerns. [CC:2016-04-29]

    • On FreeBSD, capability mode and file capabilities would be effective.
    • On vanilla Linux, most of capability mode could be implemented as a seccomp-bpf filter, but capabilities would be stubbed out.
    • On Capsicum-patched Linux, capability mode and file capabilities would work.
    • On OS X, capability mode might be implementable using OS X sandbox features.

  • Create library/wrapper function for iterating over a list of files, invoking a sub-process on a file descriptor for each. [ML:2016-04-29]

  • Add debugging option to make it easier to find rights mismatches [CC:2015-07-20]

    • For example, if CAPSICUM_DEBUG=1 in the environment then generate a log and/or signal on rights check failure.

  • Examine ioctl() operations that have direct analogues with other system calls, and make sure rights needed are in sync:

    • FIOCLEX/FIONCLEX == fcntl(fd, F_SETFD, FD_CLOEXEC)
    • FIONBIO == fcntl(fd, F_SETFL, O_NONBLOCK)
    • FIOQSIZE == CAP_FSTAT ?
    • FIOASYNC == just CAP_IOCTL + ioctl-cmd
    • FS_IOC_FIEMAP == CAP_FSTAT|CAP_FSTATFS ?
    • FIGETBSZ == CAP_FSTATFS ?
    • FIFREEZE / FITHAW == CAP_FSCK|CAP_FSTATFS ?
    • FICLONE[RANGE] == src: CAP_READ|CAP_SEEK|CAP_FSTAT, dst: CAP_WRITE|CAP_SEEK|CAP_FSTAT ?
    • FIDEDUPRANGE == src: CAP_READ|CAP_SEEK|CAP_FSTAT, dst: CAP_WRITE|CAP_SEEK|CAP_FSTAT ?

  • [Linux] Get Capsicum changes for Chromium working [CC:2015-11-02]

  • Enhance Capsicum test suite to allow better Jenkins integration, including configured XFAIL results on platforms with known problems [CC:2015-10-16]

  • [FreeBSD] Implement some sort of rights inheritance for accept() and sctp_peeloff(). [ML:2014-01-23, CC:2015-10-16]

    • Discussion remains ongoing about whether should simply be the parent FD's rights, or something more sophisticated
    • FreeBSD bug 201052 is related

  • [FreeBSD] Get pdwait4(), or some functional equivalent implemented [ML:2015-05-08, CC:2015-05-18]

  • [FreeBSD] Add PD_CLOEXEC option for pdfork() [ML:2015-05-08]

  • Deal with stale pid values returned from pdgetpid(2) [ML:2015-05-08]

  • More work on running dynamically linked binaries under capability mode, building on Jon's changes with LD_LIBRARY_PATH_FDS [CC:2015-05-11]

  • Build wrapper to allow unmodified binaries to run in Capsicum sandbox [CC:2015-05-18, Jon Anderson]

    • Pre-open files from command-line / config
    • Intercept subsequent open calls (by libc interposition) and return pre-opened FDs
    • cf. Plash/Shill

  • Quantize the attack surface reduction of Capsicum vs other sandboxes (e.g. Chrome's seccomp-bpf sandbox on Linux) [CC:2015-05-11]

  • Create a better API for getting a socket, and more generally for translating a name to an FD [CC:2015-10-30]

  • Add rights protection for some filesystem-related system calls that aren't currently protected [CC:2015-11-13]

    • fdatasync (probably CAP_FSYNC)
    • readlinkat (probably a new CAP_READLINKAT right)
    • [posix_]fallocate (TBD, but probably CAP_PWRITE for the basic functionality, plus other rights for the extra flags that are available on Linux
    • [posix_]fadvise (TBD)

Clone this wiki locally