[GSOC] capsicum final report

Loganaden Velvindron loganaden at gmail.com
Sun Sep 22 13:41:02 PDT 2013

Congratulations Joris !

On Mon, Sep 23, 2013 at 12:29 AM, Joris Giovannangeli
<joris at giovannangeli.fr> wrote:
> Hi,
> this is my final GSOC report. This week, I've been working on the new
> capsicum API written by FreeBSD. I've been mostly trying to redesign the
> implementation, because I was no happy with it, but I had to wait to
> talk with Matt Dillon on friday for him to find a good design. I've been
> writing an awk script and part of the implementation during this Week end.
> The GSOC ends, but my capsicum implementation is far from finished. A
> quick summary of what I did :
>  * capabality rights attached on filedescriptor are finished and I think
> quite stable. My vkernel survived a buildworld, but I've not done any
> test on real hardware yet.
>  * The ioctls whilelists attached to filedescriptor are also working.
> The test suite from freeBSD for both capability rights and ioctls
> whitelist passes.
>  * process descriptors have been added, but left untouched since july.
> They were working, but pdwait is not implemented yet, nor kqueue on
> process descriptor.
>  * Path resolution has been adapted to capsicum. Absolute lookups are
> forbidden in capability mode, including following symlinks. Only strict
> relative lookups are allowed, which means that the resolved namecache
> entry must be under the starting point. The semantic is different than
> the freeBSD implementation, because freeBSD forbid ".." in the path to
> enforce strictly relative lookup. Dillon proposed a different solution
> to avoid the races when can occurs with rename and open are performend
> at the same time : we walk the namecache upwards from the resolved
> namecache entry to find if we are still under the starting point. The
> capability rights are also checked using the nlookup flag. For instance,
> if NLC_RENAME_SRC is set, the filedescriptor used as a starting point of
> the lookup must have CAP_UNLINK set. This is mostly working, as far as I
> know, but more testing is needed for such a critical part of the
> sandboxing mechanism. For instance, if there is a NFS mount, bad things
> could happen.
>  * Most of the kernel has been converted to capsicum API. I've read all
> the code of the syscalls which deal with file descripors to determine
> which rights they need. It's not perfect, because for a few of them, I
> could not decide, and left the issue for later.
> * I've reworked the Unix domain socket code handling filedescriptor
> passing to take capabilities into account. The capability rights
> attached to a descriptor are also passed and the receiving process gets
> a filedescriptor with the same rights than the sending process. This is
> the basis of capsicum. The tests pass, but more tests are needed to
> check that I did not broke the garbage collection of revoked file
> descriptors.
> * I've added connectat and bindat syscalls for unix domain sockets,
> which are juts like the other *at syscalls.
> * There is no man pages yet. FreeBSD wrote a few of them, but I did not
> feel like adapting them since I knew the API would change again.
> This is the end of GSOC, and I really enjoy working with dragonfly this
> summer, and with dragonfly's people. But it's certainly not the end of
> my capsicum work :) Stay tune for further updates.
> Regards,
> Joris

This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.

More information about the Kernel mailing list