On 3/12/14 4:58 AM, tuchalia wrote: > Should l try to port also the Casper daemon to OpenBSD, or > only work in the kernel implementation?
Based on more private mail, I figured it'd be a good idea to make what I plan to work on public in case there are others interested so we can avoid stepping on each others' toes. I've been told that the OpenBSD project's main objective in supporting capsicum is to have stronger privsep in our default services (think ssh, etc.) and the first steps to support that are the relevant kernel changes, therefore that's what I plan to work on first. I wasn't planning on doing anything with casper, user angels, etc. and even porting libcapsicum was a 2ndary objective, at least not during this summer. There's also a ton of userland things besides daemons/services that could (probably should) be capsicumized. Just yesterday there was just a vuln reported by the debian folks in their file(1) that potentially allowed arbitrary code execution. I immediately checked our implementation and didn't see the same code that was patched, but our src/usr.bin/file/softmagic.c still contains a ton of logic which probably has at least one bug somewhere, and file(1) should be a fairly easily capsicumizable utility. Userland capsicumization is something that could very easily be done by multiple people since it's naturally separated into small chunks (per utility). I planned to focus on getting the primary kernel infrastructure in place this summer (because it's a somewhat large project, and it would definitely help to be sponsored by Google so I can focus on it) and then it'd be easier to work on userland stuff in small chunks of free time throughout the next school year. The reason I really want to work on Capsicum is because it addresses my primary concern with OpenBSD: the poor availability of post-exploit mitigation techniques, especially post-parallelism with sysjail. I haven't completely bought into what appears to me to be Robert Watson's greater vision of a realistic transition path towards capability-oriented operating systems, I mostly just want to improve the tools I use every day.
