[cap-talk] FreeBSD Capsicum
Mark Seaborn
mrs at mythic-beasts.com
Thu Jan 21 10:09:42 PST 2010
I found out about this project today, "FreeBSD Capsicum":
http://www.cl.cam.ac.uk/research/security/capsicum/
"""
Capsicum is a lightweight OS capability and sandbox framework
developed at the University of Cambridge Computer Laboratory,
supported by a grant from Google. Capsicum extends the POSIX API,
providing several new OS primitives to support object-capability
security on UNIX-like operating systems:
* capabilities - refined file descriptors with fine-grained rights
* capability mode - process sandboxes that deny access to global namespaces
* process descriptors - capability-centric process ID replacement
* rtld-elf-cap - modified ELF run-time linker to construct
sandboxed applications
* libcapability - library to create and use capabilities and
sandboxed components
* libuserangel - library allowing sandboxed applications or
components to interact with user angels, such as Power Boxes.
We have prototyped Capsicum on FreeBSD 8.x, and our experimental code
is available under a BSD license to encourage open source, research,
and commercial deployment. We hope that the availability of Capsicum
will make it easier for software developers and researchers to use
capability-based security in operating systems and applications.
"""
Mark
More information about the cap-talk
mailing list