Capsicum

[ronaldlees]

Does anyone know about the status of Capsicum as it relates to the Chromium port?

 

[rusty]

Saw this in the quarterly report - http://lists.freebsd.org/pipermail/free ... 77085.html

Capsicum and Casper

URL: http://freebsdfoundation.blogspot.com/2 ... sicum.html

Contact: Pawel Jakub Dawidek

Capsicum is a lightweight OS capability and sandbox framework
implementing a hybrid capability system model. The Casper daemon
enables sandboxed application to use functionality normally unavailable
in capability-mode sandboxes.

The Casper daemon, libcasper, libcapsicum(3), libnv(3) and Casper
services (system.dns, system.grp, system.pwd, system.random and
system.sysctl) have been committed to FreeBSD head. The tcpdump(8)
utility in head now uses the system.dns service to do DNS lookups. The
kdump(1) utility in head now uses the system.pwd and system.grp
services to convert user and group identifiers to user and group names.

There is ongoing work to sandbox more applications. If you are
interested in helping to make FreeBSD more secure and would like to
learn about Capsicum and Casper, do not hesitate to contact Pawel -- he
can provide candidate programs that could use sandboxing.

This project is sponsored by The FreeBSD Foundation.

I thought this sandboxing method for Solaris was neat - https://blogs.oracle.com/gfaden/entry/a ... sandboxing
I wonder if it's possible to achieve something similar with FreeBSD?