Page MenuHomeFreeBSD
Files F151818791

D50855.id157171.diff
No OneTemporary
Actions

D50855.id157171.diff
View Options

Index: share/man/man4/capsicum.4
===================================================================
--- share/man/man4/capsicum.4
+++ share/man/man4/capsicum.4
@@ -24,7 +24,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd June 5, 2025
+.Dd June 17, 2025
.Dt CAPSICUM 4
.Os
.Sh NAME
@@ -37,6 +37,12 @@
.Nm
is a lightweight OS capability and sandbox framework implementing a hybrid
capability system model.
+.Nm
+is designed to blend capabilities with UNIX.
+This approach achieves many of the benefits of least-privilege operation, while
+preserving existing UNIX APIs and performance, and presents application authors
+with an adoption path for capability-oriented design.
+.Pp
Capabilities are unforgeable tokens of authority that can be delegated and must
be presented to perform an action.
.Nm
@@ -59,6 +65,34 @@
memory mappings or file descriptors, may be used.
Once set, the flag is inherited by future children processes, and may not be
cleared.
+.Pp
+Access to system calls in capability mode is restricted: some system calls
+requiring global namespace access are unavailable, while others are
+constrained.
+For instance,
+.Xr sysctl 2
+can be used to query process-local information such as address space layout,
+but also to monitor a system’s network connections.
+.Xr sysctl 2
+is constrained by explicitly marking ≈30 of 3000 parameters as permitted in
+capability mode; all others are denied.
+.Pp
+The system calls which require constraints are
+.Xr sysctl 2 ,
+.Xr shm_open 2
+.Pq which is permitted to create anonymous memory objects but not named ones
+and the
+.Xr openat 2
+family of system calls.
+The
+.Xr openat 2
+calls already accept a file descriptor argument as the directory to perform the
+.Xr open 2 ,
+.Xr rename 2 ,
+etc. relative to; in capability mode the
+.Xr openat 2
+family of system calls are constrained so that they can only operate on
+objects “under” the provided file descriptor.
.It capabilities
Limit operations that can be called on file descriptors.
For example, a file descriptor returned by
@@ -152,3 +186,14 @@
.An Kris Kennaway Aq Mt kris@FreeBSD.org
at Google, Inc., and
.An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net .
+Portions of this man page are drawn from
+.Rs
+.%A Robert N. M. Watson
+.%A Jonathan Anderson
+.%A Ben Laurie
+.%A Kris Kennaway
+.%T Capsicum: practical capabilities for UNIX
+.%J USENIX Security Symposium
+.%D August 2010
+.%O DOI: 10.5555/1929820.1929824
+.Re

File Metadata

Mime Type
text/plain
Expires
Sat, Apr 11, 9:11 PM (11 h, 29 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
31308583
Default Alt Text
D50855.id157171.diff (2 KB)

Event Timeline