Add capsicum to jails

loveydovey

loveydovey

  1. Is there a plan to add capsicum to jail configuration? It seems right now an application has to implement capsicum itself to leverage that crucial extra layer of security. But we want to run/configure capsicum on top of an application when we set up a jail. 👮‍♂️
  2. We also want to filter syscalls a sandboxed application can make - should be relatively easy to implement, so why hasn't syscall filtering even been implemented in capsicum yet? 🧩
 
unitrunker said:
github.com

GitHub - valpackett/capsicumizer: Run anything (like full blown GTK apps) under Capsicum

Run anything (like full blown GTK apps) under Capsicum - valpackett/capsicumizer
github.com github.com

This adds a capsicum wrapper to an existing program. I don't know if one could use this to 'capsicumize' a jail.
Click to expand...
Thanks for that!

Firefox already implements capsicum, for example. But capsicum itself is lacking syscall filtering, which is sort of mitigated, but it'd still be more secure to just whitelist a set of permitted syscalls without relying on an application to do it and having to worry about the app implementing that properly.

The issue, thus, first and foremost, is not to use a capsicum wrapper but to have capsicum filter syscalls. Then this capsicum wrapper seems employable for this purpose, but it'd be so nice to just have a jail option to do some capsicum stuff on a jailed process.
 
I don't know, I see a typical response "just fork FreeBSD and do your own thing." But I see this as part of FreeBSD. Why wasn't syscall filtering implemented when everything-else filtering was implemented in capsicum?
 
loveydovey said:
I don't know, I see a typical response "just fork FreeBSD and do your own thing." But I see this as part of FreeBSD. Why wasn't syscall filtering implemented when everything-else filtering was implemented in capsicum?
Click to expand...
If you want an official answer, you can try the mailing list archives. I'd be surprised if it hasn't been discussed there at some point. The emails there should contain whatever the official reason for not having it are, if there was a deliberate decision to not include it. Adding it is another layer of security, but it's also another layer of complications in terms of stuff that can go wrong and it may very well be that it's an unnecessary layer of security for most people.
 
Capsicum is more granular and works on file descriptors so it's not that easy. It's for programs to sandbox themselves. I think that's why Capsicum in Linux implemented by Google never took off.

The best you can do is to load it via LD_PRELOAD to enter in capability mode but this will work only on dynamically compiled programs. I played with this concept here but it's not that great:

github.com

GitHub - ricardobranco777/libsandbox: Enable sandbox via shared-library hijacking

Enable sandbox via shared-library hijacking. Contribute to ricardobranco777/libsandbox development by creating an account on GitHub.
github.com github.com
 
loveydovey said:
I don't know, I see a typical response "just fork FreeBSD and do your own thing."
Click to expand...
No-one is saying that so far as I can see.

You may not be aware that the tone of your messages is very much "why on EARTH have these very obvious things that are important to ME not been implemented? Ridiculous!"

Hence the replies along the lines of "please go ahead and send some patches or proof of concept of code or sponsor a developer to do the work".

If something hasn't been done that suggests it is more complicated than you realise, or maybe an unpaid volunteer just wasn't interested in doing work in that direction or part of the system or whatever. Or they had lives to lead.

It's open source, you can contribute the expertise or dollars required, and hopefully someone else will be pleased to see the changes in FreeBSD.
 
richardtoohey2 said:
"why on EARTH have these very obvious things that are important to ME not been implemented? Ridiculous!"
Click to expand...
And your tone is extremely presumptuous. Which is why atax1a liked your post.

Security is not important to just me, so it's unclear what you are even talking about.

I'm not at a point of where I can just write code for FreeBSD. I did submit two patches on bugs.freebsd.org for some of my devices whose device IDs weren't in the source code. I don't even know if anyone is adding them to FreeBSD 16 code. They're still in the "New" status, and it's just simply adding new device IDs that I tested to be working. Forget adding some more complex code.
 
if you don't (as you, yourself, claim) know how to implement features, then you shouldn't go around claiming that some feature or another is "easy to implement". hth
 
loveydovey said:
I don't know, I see a typical response "just fork FreeBSD and do your own thing." But I see this as part of FreeBSD. Why wasn't syscall filtering implemented when everything-else filtering was implemented in capsicum?
Click to expand...
The answer is easy enough. Ideas are cheap and easy. Implementing them is hard.

1769712114421.png
 
You must log in or register to reply here.
Back
Top