HN

Need help?
<- Back
FreeBSD Capsicum vs. Linux Seccomp Process Sandboxing

FreeBSD Capsicum vs. Linux Seccomp Process Sandboxing

vermaden

Comments (41)

  • brynet
    EDIT: Article seems to have been updated to remove mention of Chromium.This article contains a lot of errors, for example Chromium on FreeBSD does NOT use Capsicum, it never has. That was experimental and invasive work done 17 years ago that was NEVER committed to their official ports repository. In fact, not a single browser on FreeBSD uses Capsicum or any form of sandboxing _at all_.https://github.com/rwatson/chromium-capsicumhttps://www.freshports.org/www/chromium/https://cgit.freebsd.org/ports/log/www/chromium/Makefile?qt=...Contrast that with OpenBSD, where the Chromium port has used pledge(2) since January 2016, and unveil(2) since 2018. Both are enabled by default. Mozilla Firefox ports also use both pledge and unveil since 2018-2019, with refinements over the years.https://marc.info/?l=openbsd-ports-cvs&m=145211683609002&w=2https://marc.info/?l=openbsd-ports-cvs&m=153250162128188&w=2OpenBSD's fork of tcpdump has been privsep for ~22 years, and its packet parser runs with no privileges. It's pledged tightly "stdio" and has no network/filesystem access, and uses OpenBSD specific innovations like bpf descriptor locking (BIOCLOCK) missing from both FreeBSD/Linux tcpdump today (despite FreeBSD adding the ioctl in 2005).In the years since it was added, the reason Capsicum has only been applied to a handful of utilities is because it's a tree barren of decades worth of incremental work on privilege separation and security research.
  • PeterWhittaker
    Interesting article, but it compares apples to a fruit stand: The approach could be improved by comparing Capsicum to using seccomp in the same way.Sometime ago I wrote a library for a customer that did exactly that: Open a number of resources, e.g., stdin, stdout, stderr, a pipe or two, a socket or two, make the seccomp calls necessary to restrict the use of read/write/etc. to the associated file descriptors, then lock out all other system calls - which includes seccomp-related calls.Basically, the library took a very Capsicum-like approach of whitelisting specific actions then sealing itself against further changes.This is a LOT of work, of course, and the available APIs don't make it particularly easy or elegant, but it is definitely doable. I chose this approach because the docker whitelist approach was far too open ended and "uncurated", if you will, for the use-case we were targeting.In this particular case, I was aided by the fact the library was written to support the very specific use-case of filters running in containers using FIFOs for IPC, logging, and reporting: Every filter saw exactly the same interfaces to the world, so it was relatively easier to lock things down.Having said that, I wish Linux had a Capsicum-equivalent call, or, even better for the approach I took, a friendlier way to whitelist specific calls.
  • adiabatichottub
    One question I've always had about these capability systems is: why isn't there a way to set capabilities from the parent process when execing? Why trust a program to set its own capabilities? I know that having a process set capabilities on itself doesn't break existing tools, but it seems like if you really wanted a robust system it would make sense to have the parent process, the user's shell for example, set the capabilities on its children, and have those capabilities be inheritable so the child could spawn other processes with the same or fewer capabilities (if it's allowed to do that at all). Is there an existing system that works this way, in or outside of the UNIX family? Or maybe some research paper written on the subject? I'd love to know.
  • thomashabets2
    Yeah I'm not a fan of seccomp (https://blog.habets.se/2022/03/seccomp-unsafe-at-any-speed.h...).On Linux I understand that Landlock is the way to go.
  • ruslan
    Excuse me for being ignorant, is Seccomp what SELinux is based on ?Also, what is well-known piece of software that uses Capsicum on FreeBSD ? Can someone name a few ?
  • littlestymaar
    I've seen AI written blog posts before, but this is one step above: the entire blog (~90 articles) have been AI generated over the past three months.I already find it very frustrating that most open source projects spawning on HN's front page are resume-boosting AI slop but if blogs start being the same the internet is definitely dead.Edit: it doesn't even looks like it's resume-boosting in this case, the “person” behind it doesn't even appear to exist. We can only speculate about the intent behind this.
  • jmclnx
    This site is a perfect example showing why people are complaining about grey text, to me it is unreadable. See:https://news.ycombinator.com/item?id=47268574
  • thedatamonger
    so .. if i'm getting this right, this is an article about security, but the author can't be bothered to configure https correctly?