A couple of weeks ago I read a paper on Capsicum, a "lightweight OS capability and sandbox framework," <http://www.cl.cam.ac.uk/research/security/capsicum/>. Capsicum looks like a giant step in the right direction for UNIX security research. I'd like to see a similar function in NetBSD. What are others' impressions of Capcisum? Is anybody working on a port?
I have a couple of concerns about Capsicum at its current level of development. First, I'm wary of "self-compartmentalization" of programs and libraries. It seems like it could be a lot of work to add self-compartmentalization to just the programs in NetBSD's base system, and when it was finished, I doubt that so many changes would be both trustworthy and consistent. The second concern is related to the first: a Capsicum sandbox doesn't simulate access to the global namespace for the purpose of unmodified programs calling, e.g., open(2)---can it? The authors of the Capsicum paper are already thinking about the question (see section 4.3, "gzip"); I'm eager to see what they come up with. For consistency, user confidence and convenience, I'd like to see a wrapper program or shell built-in, "capsicum [capabilities] [program [arguments ...]]", that creates a sandbox, grants it the mentioned <capabilities>, and starts in it the given <program> with the given <arguments>. Maybe that wouldn't be hard to do. Maybe there's a better way, too. Your thoughts? Dave -- David Young OJC Technologies [email protected] Urbana, IL * (217) 278-3933
