Page MenuHomeFreeBSD

capsicum.4: Add some more detail from the Capsicum paper
ClosedPublic

Authored by emaste on Jun 14 2025, 6:00 PM.
Tags
None
Referenced Files
F131958392: D50855.id.diff
Sun, Oct 12, 12:32 PM
Unknown Object (File)
Sun, Oct 12, 1:36 AM
Unknown Object (File)
Sun, Oct 12, 1:36 AM
Unknown Object (File)
Sun, Oct 12, 1:36 AM
Unknown Object (File)
Sun, Oct 12, 1:36 AM
Unknown Object (File)
Sat, Oct 11, 4:03 PM
Unknown Object (File)
Thu, Oct 9, 9:04 PM
Unknown Object (File)
Tue, Oct 7, 3:27 AM

Details

Summary
Adapt some language based on "Capsicum: practical capabilities for UNIX"
https://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

emaste added a subscriber: lattera-gmail.com.

Add reference to paper

@lattera-gmail.com we've had some discussion on the challenges in adapting or designing software for sandboxing, and we haven't had great documentation on that. Would you have a look at this patch and let me know if this is a start to make some of the concepts more clear?

share/man/man4/capsicum.4
189

(applied locally)

markj added inline comments.
share/man/man4/capsicum.4
77

These numbers are a bit outdated: the number of MIBs is device-dependent (my laptop has something like 15,000) and I see something like 60 references to CTLFLAG_CAPRD in main.

Update sysctl numbers

share/man/man4/capsicum.4
77

Huh sysctl -aN | wc -l on my laptop is 19463.

This revision is now accepted and ready to land.Jun 17 2025, 4:07 PM