capsicum.4: Add some more detail from the Capsicum paper

Adapt some language from "Capsicum: practical capabilities for UNIX"
https://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf

Reviewed by:	markj
Discussed with:	rwatson
Event:		Kitchener-Waterloo Hackathon 202506
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D50855
This commit is contained in:
Ed Maste
2025-06-14 13:57:33 -04:00
parent df4b9fa460
commit c54534e602
+46 -1
View File
@@ -24,7 +24,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE. .\" SUCH DAMAGE.
.\" .\"
.Dd June 5, 2025 .Dd June 17, 2025
.Dt CAPSICUM 4 .Dt CAPSICUM 4
.Os .Os
.Sh NAME .Sh NAME
@@ -37,6 +37,12 @@
.Nm .Nm
is a lightweight OS capability and sandbox framework implementing a hybrid is a lightweight OS capability and sandbox framework implementing a hybrid
capability system model. capability system model.
.Nm
is designed to blend capabilities with UNIX.
This approach achieves many of the benefits of least-privilege operation, while
preserving existing UNIX APIs and performance, and presents application authors
with an adoption path for capability-oriented design.
.Pp
Capabilities are unforgeable tokens of authority that can be delegated and must Capabilities are unforgeable tokens of authority that can be delegated and must
be presented to perform an action. be presented to perform an action.
.Nm .Nm
@@ -59,6 +65,34 @@ namespaces) is restricted; only explicitly delegated rights, referenced by
memory mappings or file descriptors, may be used. memory mappings or file descriptors, may be used.
Once set, the flag is inherited by future children processes, and may not be Once set, the flag is inherited by future children processes, and may not be
cleared. cleared.
.Pp
Access to system calls in capability mode is restricted: some system calls
requiring global namespace access are unavailable, while others are
constrained.
For instance,
.Xr sysctl 2
can be used to query process-local information such as address space layout,
but also to monitor a systems network connections.
.Xr sysctl 2
is constrained by explicitly marking ≈60 of over 15000 parameters as permitted
in capability mode; all others are denied.
.Pp
The system calls which require constraints are
.Xr sysctl 2 ,
.Xr shm_open 2
.Pq which is permitted to create anonymous memory objects but not named ones
and the
.Xr openat 2
family of system calls.
The
.Xr openat 2
calls already accept a file descriptor argument as the directory to perform the
.Xr open 2 ,
.Xr rename 2 ,
etc. relative to; in capability mode the
.Xr openat 2
family of system calls are constrained so that they can only operate on
objects “under” the provided file descriptor.
.It capabilities .It capabilities
Limit operations that can be called on file descriptors. Limit operations that can be called on file descriptors.
For example, a file descriptor returned by For example, a file descriptor returned by
@@ -152,3 +186,14 @@ and
.An Kris Kennaway Aq Mt kris@FreeBSD.org .An Kris Kennaway Aq Mt kris@FreeBSD.org
at Google, Inc., and at Google, Inc., and
.An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net . .An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net .
Portions of this manual page are drawn from
.Rs
.%A Robert N. M. Watson
.%A Jonathan Anderson
.%A Ben Laurie
.%A Kris Kennaway
.%T Capsicum: practical capabilities for UNIX
.%J USENIX Security Symposium
.%D August 2010
.%O DOI: 10.5555/1929820.1929824
.Re