On Wed, Mar 12, 2014 at 12:58 PM, tuchalia <[email protected]> wrote: > Hi all, > > I'm really interested in this possibility of porting the Capsicum framework
That's awesome ! > to OpenBSD. Should l try to port also the Casper daemon to OpenBSD, or > only work in the kernel implementation? Capsicum is a huge project, and realistically, it's impossible to to port it completely and get a production grade version by working only 8-12 weeks. The project clearly exceeds the mandate of a GSoC, in my opinion. You might start by planning the kernel implementation, similar to what Joris did for DragonflyBSD. (http://leaf.dragonflybsd.org/mailarchive/kernel/2013-04/msg00025.html). With a kernel implementation, we can do quite a lot of things, like what happened for OpenSSH 6.5. OpenSSH 6.5 has capsicum support on FreeBSD, and it doesn't need casper to sandbox the pre-auth code. matthew had already started working on some bits. (https://lists.cam.ac.uk/pipermail/cl-capsicum-discuss/2011-July/msg00002.html) Your best bet is to speak to damien miller and work out a sensible plan. If you're really interested motivated in doing a good & complete work, you should be ready to spend time after gsoc getting feedback on the diffs, and improve them. Personally, I would like to see a working kernel implementation, and getting at least sshd in base capsicumised :-) I can help you with the last part, as I'm familiar with the code. Please talk to damien & matthew as they might have a different roadmap or radically different ideas in mind. > > I've used Capsicum during the last summer, but I only worked with the > syscall API, that is, no Casper (something that can be fixed quickly). Very good ! However, I would advise caution here, as there has been at least one bug that has been reported with the changes happening in FreeBSD. (http://unbound.net/pipermail/unbound-users/2014-February/003169.html). So you have to be prepared to fix any potential fallout if capsicum port is to be merged into OpenBSD :-) > > I know what I should I do with the Capsicum side (in the matter of getting > some info to have a strong proposal) but I'm not sure about where to look > when it comes to the OpenBSD side. Should I take a look at the process data > structure, and how all this is implemented in the kernel? Should I take a > look somewhere else? I would advise you to look into Joris's posts to DragonflyBSD lists, and see what difficulties he faced when he ported capsicum to dflybsd. Also, please take into account that OpenBSD kernel is different from FreeBSD kernel, and that will probably involve a lot of rewriting. You are lucky as OpenBSD has a rock solid -current tree. Ideally, you would have a dedicated physical box such as a 2nd laptop or a development machine to work on that IMHO. Read the OpenBSD FAQ for running -current. http://www.openbsd.org/faq/current.html > > Also, do we have any IRC channel to discuss al this? I'll send it to you in a personal mail. > > Many thanks, Good luck with your proposal ! -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
