Capsicum (Unix)

Capsicum is an implementation of capability-based security for UNIX and similar systems. Presented at USENIX 2010, the system is part of FreeBSD since its 9.0 release. It has also been adapted to Linux and DragonflyBSD in the form of kernel patches.[1]

The system works by chunking the normal permissions up into very small pieces. When a processes enters capsicum mode, it loses all permissions normally associated with its controlling user, with the exception of "capacities" it already has in the form of file descriptors. A process can also receive capacities via Unix sockets. These file descriptors not only control access to the file system, but also to other devices like the network sockets. Flags are also used to control more fine-grained access like reads and writes.[2]

CloudABI

CloudABI is an application binary interface based on capsicum. It keeps the overall capsicum permission model, but uses it to redesign a simplified environment for processes (system calls, C library, etc.) to run on, so that programs become portable to any platform supporting the ABI on the same instruction set architecture. The interface it offers is roughly POSIX minus parts that do not work with capacity-based security. As of March 2020, cloudABI is natively a part of FreeBSD, and it can be run on other systems either via a Capsicum-based patch or using a non-secure system call emulator.[3][4]

gollark: I don't like trains.
gollark: Also "it might be bad for children because [EQUIVOCATION] and apparently bad study".
gollark: I did GCSE German so I vaguely remember a bunch of the grammar and words.
gollark: It seems like this is being approached from the perspective of "you need to show very well that there's a good reason to make this legal" and not the other way round, because apparently people are just used to "of course things which *might* be bad are banned".
gollark: I don't know. Do you know? Does *anyone* actually have high-quality information on this?

References

  1. "Capsicum: practical capabilities for UNIX". Cambridge Computer Laboratory. Retrieved 8 April 2020.
  2. Edge, Jake (February 22, 2012). "Capsicum: practical capabilities for UNIX". lwn.net.
  3. "NuxiNL/cloudabi". Nuxi. 30 March 2020.
  4. Brown, Neil (February 10, 2016). "CloudABI". lwn.net.


This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.