[GSOC] capsicum final report

Joris Giovannangeli joris at giovannangeli.fr
Sun Sep 22 13:29:45 PDT 2013


this is my final GSOC report. This week, I've been working on the new
capsicum API written by FreeBSD. I've been mostly trying to redesign the
implementation, because I was no happy with it, but I had to wait to
talk with Matt Dillon on friday for him to find a good design. I've been
writing an awk script and part of the implementation during this Week end.

The GSOC ends, but my capsicum implementation is far from finished. A
quick summary of what I did :

 * capabality rights attached on filedescriptor are finished and I think
quite stable. My vkernel survived a buildworld, but I've not done any
test on real hardware yet.

 * The ioctls whilelists attached to filedescriptor are also working.
The test suite from freeBSD for both capability rights and ioctls
whitelist passes.

 * process descriptors have been added, but left untouched since july.
They were working, but pdwait is not implemented yet, nor kqueue on
process descriptor.

 * Path resolution has been adapted to capsicum. Absolute lookups are
forbidden in capability mode, including following symlinks. Only strict
relative lookups are allowed, which means that the resolved namecache
entry must be under the starting point. The semantic is different than
the freeBSD implementation, because freeBSD forbid ".." in the path to
enforce strictly relative lookup. Dillon proposed a different solution
to avoid the races when can occurs with rename and open are performend
at the same time : we walk the namecache upwards from the resolved
namecache entry to find if we are still under the starting point. The
capability rights are also checked using the nlookup flag. For instance,
if NLC_RENAME_SRC is set, the filedescriptor used as a starting point of
the lookup must have CAP_UNLINK set. This is mostly working, as far as I
know, but more testing is needed for such a critical part of the
sandboxing mechanism. For instance, if there is a NFS mount, bad things
could happen.

 * Most of the kernel has been converted to capsicum API. I've read all
the code of the syscalls which deal with file descripors to determine
which rights they need. It's not perfect, because for a few of them, I
could not decide, and left the issue for later.

* I've reworked the Unix domain socket code handling filedescriptor
passing to take capabilities into account. The capability rights
attached to a descriptor are also passed and the receiving process gets
a filedescriptor with the same rights than the sending process. This is
the basis of capsicum. The tests pass, but more tests are needed to
check that I did not broke the garbage collection of revoked file

* I've added connectat and bindat syscalls for unix domain sockets,
which are juts like the other *at syscalls.

* There is no man pages yet. FreeBSD wrote a few of them, but I did not
feel like adapting them since I knew the API would change again.

This is the end of GSOC, and I really enjoy working with dragonfly this
summer, and with dragonfly's people. But it's certainly not the end of
my capsicum work :) Stay tune for further updates.


