mirror of
https://github.com/opnsense/src.git
synced 2026-06-11 01:30:30 -04:00
capsicum.4: Add some more detail from the Capsicum paper
Adapt some language from "Capsicum: practical capabilities for UNIX" https://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf Reviewed by: markj Discussed with: rwatson Event: Kitchener-Waterloo Hackathon 202506 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D50855
This commit is contained in:
Ed Maste
parent
df4b9fa460
commit
c54534e602
1 changed files with 46 additions and 1 deletions
|
|
@ -24,7 +24,7 @@
|
|||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd June 5, 2025
|
||||
.Dd June 17, 2025
|
||||
.Dt CAPSICUM 4
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
|
@ -37,6 +37,12 @@
|
|||
.Nm
|
||||
is a lightweight OS capability and sandbox framework implementing a hybrid
|
||||
capability system model.
|
||||
.Nm
|
||||
is designed to blend capabilities with UNIX.
|
||||
This approach achieves many of the benefits of least-privilege operation, while
|
||||
preserving existing UNIX APIs and performance, and presents application authors
|
||||
with an adoption path for capability-oriented design.
|
||||
.Pp
|
||||
Capabilities are unforgeable tokens of authority that can be delegated and must
|
||||
be presented to perform an action.
|
||||
.Nm
|
||||
|
|
@ -59,6 +65,34 @@ namespaces) is restricted; only explicitly delegated rights, referenced by
|
|||
memory mappings or file descriptors, may be used.
|
||||
Once set, the flag is inherited by future children processes, and may not be
|
||||
cleared.
|
||||
.Pp
|
||||
Access to system calls in capability mode is restricted: some system calls
|
||||
requiring global namespace access are unavailable, while others are
|
||||
constrained.
|
||||
For instance,
|
||||
.Xr sysctl 2
|
||||
can be used to query process-local information such as address space layout,
|
||||
but also to monitor a system’s network connections.
|
||||
.Xr sysctl 2
|
||||
is constrained by explicitly marking ≈60 of over 15000 parameters as permitted
|
||||
in capability mode; all others are denied.
|
||||
.Pp
|
||||
The system calls which require constraints are
|
||||
.Xr sysctl 2 ,
|
||||
.Xr shm_open 2
|
||||
.Pq which is permitted to create anonymous memory objects but not named ones
|
||||
and the
|
||||
.Xr openat 2
|
||||
family of system calls.
|
||||
The
|
||||
.Xr openat 2
|
||||
calls already accept a file descriptor argument as the directory to perform the
|
||||
.Xr open 2 ,
|
||||
.Xr rename 2 ,
|
||||
etc. relative to; in capability mode the
|
||||
.Xr openat 2
|
||||
family of system calls are constrained so that they can only operate on
|
||||
objects “under” the provided file descriptor.
|
||||
.It capabilities
|
||||
Limit operations that can be called on file descriptors.
|
||||
For example, a file descriptor returned by
|
||||
|
|
@ -152,3 +186,14 @@ and
|
|||
.An Kris Kennaway Aq Mt kris@FreeBSD.org
|
||||
at Google, Inc., and
|
||||
.An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net .
|
||||
Portions of this manual page are drawn from
|
||||
.Rs
|
||||
.%A Robert N. M. Watson
|
||||
.%A Jonathan Anderson
|
||||
.%A Ben Laurie
|
||||
.%A Kris Kennaway
|
||||
.%T Capsicum: practical capabilities for UNIX
|
||||
.%J USENIX Security Symposium
|
||||
.%D August 2010
|
||||
.%O DOI: 10.5555/1929820.1929824
|
||||
.Re
|
||||
|
|
|
|||
Loading…
Reference in a new issue