[GSOC] capsicum week10

Joris Giovannangeli joris at giovannangeli.fr
Tue Aug 27 00:32:01 PDT 2013


this week I've finished the implementation of dntpd sandboxing. You can
see the work in the dnptd branch

I've split dntpd in two processes, one in capability mode, and the other
is privileged. The privileged process contains the list of names of the
ntp servers in an array. When the worker process wants to connect, it
sends a request to the privileged process using an index in the array to
identify the server. The privileged process opens an udp socket and
"connect" to the server. It sends back the file descriptor to the worker
process, with only CAP_SEND and CAP_RECV.

I fixed some panic I found running dntpd on a vkernel.

During the remaining tim eof the week, I didn't wrote much code. I spent
a lot of time reading the libcapsicum and libcasper API from freeBSD
(still in development) to understand the new plans for capsicum
userspace applications. I wrote some test program and I started a port
of the libs to dragonfly (not committed yet)

Best regards,


More information about the Kernel mailing list