-
Notifications
You must be signed in to change notification settings - Fork 0
proposal
Capsicum is a fine grained capability framework for unix systems. It can be use to sandbox applications by restructing their access to various global namespaces. While DAC and unix rights grant access at the user level, capscium is designed to implement security policies at the application or library level. Unlike MAC frameworks (SELinux, AppArmor, ...) where access profile is configured out of the code, capsicum sandboxing policy might directly be built in the application itself. Capscum is currently implemented in the FreeBSD kernel, and some work is ongoing on the linux side.
This proposal is mostly about the kernel APIs. The goal is to have an implementation of the various syscalls compatible with the FreeBSD kernel API
- Capability mode : a process mode, set by a system call, in which access to global namespaces is restricted. For instance, system calls like open(2), socket(2) might not be used. The capability mode is inherited by the child processes. Once in capability mode, only the delegated rights may be used.
- Capabilities : rights can be attached to file descriptors to restrict access. Capabilities can be granted or limited by a set of system calls.
- Process descriptors : on POSIX systems, you can only manage process by accessing the PID namespace. To allow parent pids to manage childs while in capability mode, a new API have been created. Like file descriptors, they are local descriptors for process and can be managed by a set of syscalls : pdfork, pdkill, pdwait4 and pdgetpid
The kernel API will be compatible with FreeBSD. FreeBSD is currently working on a library to ease the developpment of capsicum enabled application, and on casper, a system daemon giving access to priviliged sandbox to sandboxed applications. These tools will have to be port for a fully functionnal capsicum system, but they are not yet finished.
I excpect to have a working kernel implementation of capsicum compatible with the FreeBSD one at the end of the SoC. I've already start to ork on this project, and i have some code for managing the rights attached to the filedescriptors.
Project timeline broken down by week, with details on when each feature described in the project goals will be available
Implement capabilities for filedescriptos in kern_descrip.c. White-listed capabilities have to be attached to each filedesc. An Ioctls white-list is needed, which means dynamically alloced space for each filedescriptor with such list. Capabilities are check each time a process gets a file pointer from a file descriptor.
Convert various kernel code which uses the filedescriptor internal API (holdfp, etc), to use the capabilities if needed. Add a capability mode, a credential flag for process which can be set by a sycall and which is inherited by a forked child process.
Capability mode syscall interface. Implement syscall to limit capabilities, grants rights or whitelist ioctls
Add capability checks to various syscalls : *at(2), nlookup, sysctl. This should be fairly easy, but at this point, I should have a semi-working capsicum implementation, and it whould be a good time to do some testing. Reuse regression test from FreeBSD (at tools/regression/capsicum/syscalls/ ), and check they pass.
For the midterm, the filedescriptor part of the capsicum API should be functionnal
Port the capsicum enabled bzip2 : https://github.com/benlaurie/freebsd/blob/master/contrib/bzip2/
Minor modifications are needed because this code was a proof of concept with an earlier state of the capsicum API, but its still a good tool to test the current code.
proces descriptor API. Add 4 syscalls pdfiork, pdwait4, pdkill, and maybe pdgetpid which use file descriptor-like API to reference processes.
Write tests for the process descriptor API.
Add connectat() and bindat() syscalls for UNIX domain sockets. Their behavior whould be similar to the *at syscall familly.
Write test cases for connectat and bindat.
Remaining Time
At this point, the kernel API should be done. Take more time to test.