1e71dd639SRobert Watson.\" 25ea1c4a2SRobert Watson.\" Copyright (c) 2011, 2013 Robert N. M. Watson 3e71dd639SRobert Watson.\" Copyright (c) 2011 Jonathan Anderson 4e71dd639SRobert Watson.\" All rights reserved. 5e71dd639SRobert Watson.\" 6e71dd639SRobert Watson.\" Redistribution and use in source and binary forms, with or without 7e71dd639SRobert Watson.\" modification, are permitted provided that the following conditions 8e71dd639SRobert Watson.\" are met: 9e71dd639SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 10e71dd639SRobert Watson.\" notice, this list of conditions and the following disclaimer. 11e71dd639SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 12e71dd639SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 13e71dd639SRobert Watson.\" documentation and/or other materials provided with the distribution. 14e71dd639SRobert Watson.\" 15e71dd639SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16e71dd639SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17e71dd639SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18e71dd639SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19e71dd639SRobert Watson.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20e71dd639SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21e71dd639SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22e71dd639SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23e71dd639SRobert Watson.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24e71dd639SRobert Watson.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25e71dd639SRobert Watson.\" SUCH DAMAGE. 26e71dd639SRobert Watson.\" 27*c3786ca8SEd Maste.Dd January 3, 2024 28e71dd639SRobert Watson.Dt CAPSICUM 4 29e71dd639SRobert Watson.Os 30e71dd639SRobert Watson.Sh NAME 31e71dd639SRobert Watson.Nm Capsicum 32e71dd639SRobert Watson.Nd lightweight OS capability and sandbox framework 33e71dd639SRobert Watson.Sh SYNOPSIS 34e71dd639SRobert Watson.Cd "options CAPABILITY_MODE" 35e71dd639SRobert Watson.Cd "options CAPABILITIES" 36e71dd639SRobert Watson.Sh DESCRIPTION 37e71dd639SRobert Watson.Nm 38e71dd639SRobert Watsonis a lightweight OS capability and sandbox framework implementing a hybrid 39e71dd639SRobert Watsoncapability system model. 401f568792SEd MasteCapabilities are unforgeable tokens of authority that can be delegated and must 411f568792SEd Mastebe presented to perform an action. 421f568792SEd Maste.Nm 431f568792SEd Mastemakes file descriptors into capabilities. 441f568792SEd Maste.Pp 45e71dd639SRobert Watson.Nm 46e71dd639SRobert Watsoncan be used for application and library compartmentalisation, the 47e71dd639SRobert Watsondecomposition of larger bodies of software into isolated (sandboxed) 48e71dd639SRobert Watsoncomponents in order to implement security policies and limit the impact of 49e71dd639SRobert Watsonsoftware vulnerabilities. 50e71dd639SRobert Watson.Pp 51e71dd639SRobert Watson.Nm 52e71dd639SRobert Watsonprovides two core kernel primitives: 53e71dd639SRobert Watson.Bl -tag -width indent 54e71dd639SRobert Watson.It capability mode 55e71dd639SRobert WatsonA process mode, entered by invoking 56e71dd639SRobert Watson.Xr cap_enter 2 , 57e71dd639SRobert Watsonin which access to global OS namespaces (such as the file system and PID 58e71dd639SRobert Watsonnamespaces) is restricted; only explicitly delegated rights, referenced by 59e71dd639SRobert Watsonmemory mappings or file descriptors, may be used. 6050d922a0SGlen BarberOnce set, the flag is inherited by future children processes, and may not be 61e71dd639SRobert Watsoncleared. 62e71dd639SRobert Watson.It capabilities 636f62d278SPawel Jakub DawidekLimit operations that can be called on file descriptors. 646f62d278SPawel Jakub DawidekFor example, a file descriptor returned by 65e71dd639SRobert Watson.Xr open 2 66e71dd639SRobert Watsonmay be refined using 67643fe75cSBryan Drewery.Xr cap_rights_limit 2 68e71dd639SRobert Watsonso that only 69e71dd639SRobert Watson.Xr read 2 70e71dd639SRobert Watsonand 71e71dd639SRobert Watson.Xr write 2 72e71dd639SRobert Watsoncan be called, but not 73e71dd639SRobert Watson.Xr fchmod 2 . 746f62d278SPawel Jakub DawidekThe complete list of the capability rights can be found in the 756f62d278SPawel Jakub Dawidek.Xr rights 4 766f62d278SPawel Jakub Dawidekmanual page. 77e71dd639SRobert Watson.El 78e71dd639SRobert Watson.Pp 79e71dd639SRobert WatsonIn some cases, 80e71dd639SRobert Watson.Nm 81e71dd639SRobert Watsonrequires use of alternatives to traditional POSIX APIs in order to name 82e71dd639SRobert Watsonobjects using capabilities rather than global namespaces: 83e71dd639SRobert Watson.Bl -tag -width indent 84e71dd639SRobert Watson.It process descriptors 85e71dd639SRobert WatsonFile descriptors representing processes, allowing parent processes to manage 865ea1c4a2SRobert Watsonchild processes without requiring access to the PID namespace; described in 875ea1c4a2SRobert Watsongreater detail in 885ea1c4a2SRobert Watson.Xr procdesc 4 . 89e71dd639SRobert Watson.It anonymous shared memory 90e71dd639SRobert WatsonAn extension to the POSIX shared memory API to support anonymous swap objects 915ea1c4a2SRobert Watsonassociated with file descriptors; described in greater detail in 925ea1c4a2SRobert Watson.Xr shm_open 2 . 93e71dd639SRobert Watson.El 94f299c47bSAllan Jude.Pp 95f299c47bSAllan JudeIn some cases, 96f299c47bSAllan Jude.Nm 97f299c47bSAllan Judelimits the valid values of some parameters to traditional APIs in order to 98f299c47bSAllan Juderestrict access to global namespaces: 99f299c47bSAllan Jude.Bl -tag -width indent 100f299c47bSAllan Jude.It process IDs 101f299c47bSAllan JudeProcesses can only act upon their own process ID with syscalls such as 102f299c47bSAllan Jude.Xr cpuset_setaffinity 2 . 103f299c47bSAllan Jude.El 104e71dd639SRobert Watson.Sh SEE ALSO 105e71dd639SRobert Watson.Xr cap_enter 2 , 1066f62d278SPawel Jakub Dawidek.Xr cap_fcntls_limit 2 , 107e71dd639SRobert Watson.Xr cap_getmode 2 , 1086f62d278SPawel Jakub Dawidek.Xr cap_ioctls_limit 2 , 109643fe75cSBryan Drewery.Xr cap_rights_limit 2 , 110e71dd639SRobert Watson.Xr fchmod 2 , 111e71dd639SRobert Watson.Xr open 2 , 112e71dd639SRobert Watson.Xr pdfork 2 , 113e71dd639SRobert Watson.Xr pdgetpid 2 , 114e71dd639SRobert Watson.Xr pdkill 2 , 115e71dd639SRobert Watson.Xr pdwait4 2 , 116e71dd639SRobert Watson.Xr read 2 , 117e71dd639SRobert Watson.Xr shm_open 2 , 1185ea1c4a2SRobert Watson.Xr write 2 , 1196f62d278SPawel Jakub Dawidek.Xr cap_rights_get 3 , 120*c3786ca8SEd Maste.Xr capsicum_helpers 3 , 1213181cabdSGlen Barber.Xr libcasper 3 , 122d8484156SChristian Brueffer.Xr procdesc 4 123e71dd639SRobert Watson.Sh HISTORY 124e71dd639SRobert Watson.Nm 125e71dd639SRobert Watsonfirst appeared in 126e71dd639SRobert Watson.Fx 9.0 , 127e71dd639SRobert Watsonand was developed at the University of Cambridge. 128e71dd639SRobert Watson.Sh AUTHORS 129e71dd639SRobert Watson.Nm 130e71dd639SRobert Watsonwas developed by 131e71dd639SRobert Watson.An -nosplit 1326c899950SBaptiste Daroussin.An Robert Watson Aq Mt rwatson@FreeBSD.org 133e71dd639SRobert Watsonand 1346c899950SBaptiste Daroussin.An Jonathan Anderson Aq Mt jonathan@FreeBSD.org 135e71dd639SRobert Watsonat the University of Cambridge, and 1366c899950SBaptiste Daroussin.An Ben Laurie Aq Mt benl@FreeBSD.org 137e71dd639SRobert Watsonand 1386c899950SBaptiste Daroussin.An Kris Kennaway Aq Mt kris@FreeBSD.org 1396f62d278SPawel Jakub Dawidekat Google, Inc., and 1406c899950SBaptiste Daroussin.An Pawel Jakub Dawidek Aq Mt pawel@dawidek.net . 141