It is unlikely that beep will be used in a context where sandboxing would be valuable but it is a simple demonstration of a capability sandbox and is easy/low-cost to do.

markj added a subscriber: markj.Jun 17 2025, 4:03 PM

markj added inline comments.

usr.bin/beep/beep.c
208	caph_enter() still needs error checking.

It's a nice example of how easy example how to use Capsicum by opening all resources before entering capability mode, but would better to call cap_enter() instead of caph_enter()?

emaste updated this revision to Diff 157206.Jun 17 2025, 5:31 PM

emaste edited the summary of this revision. (Show Details)

better to call cap_enter() instead of caph_enter()?

caph_enter is a very small wrapper that just ignores ENOSYS in case it's running on a kernel compiled without options CAPABILITY_MODE. If we remove that as an option we could stop doing this

christos accepted this revision.Jun 17 2025, 6:11 PM

This revision is now accepted and ready to land.Jun 17 2025, 6:11 PM

Closed by commit rG54eda43cc1e6: beep: Capsicumize (authored by emaste). · Explain WhyJun 17 2025, 7:42 PM

This revision was automatically updated to reflect the committed changes.

emaste added a commit: rG54eda43cc1e6: beep: Capsicumize.

Herald added a subscriber: imp. · View Herald TranscriptJun 17 2025, 7:42 PM

emaste added a commit: rG5aaaa1a61024: beep: Capsicumize.Jul 29 2025, 5:51 PM