Hi, this is my final GSOC report. This week, I've been working on the new capsicum API written by FreeBSD. I've been mostly trying to redesign the implementation, because I was no happy with it, but I had to wait to talk with Matt Dillon on friday for him to find a good design. I've been writing an awk script and part of the implementation during this Week end.
The GSOC ends, but my capsicum implementation is far from finished. A quick summary of what I did : * capabality rights attached on filedescriptor are finished and I think quite stable. My vkernel survived a buildworld, but I've not done any test on real hardware yet. * The ioctls whilelists attached to filedescriptor are also working. The test suite from freeBSD for both capability rights and ioctls whitelist passes. * process descriptors have been added, but left untouched since july. They were working, but pdwait is not implemented yet, nor kqueue on process descriptor. * Path resolution has been adapted to capsicum. Absolute lookups are forbidden in capability mode, including following symlinks. Only strict relative lookups are allowed, which means that the resolved namecache entry must be under the starting point. The semantic is different than the freeBSD implementation, because freeBSD forbid ".." in the path to enforce strictly relative lookup. Dillon proposed a different solution to avoid the races when can occurs with rename and open are performend at the same time : we walk the namecache upwards from the resolved namecache entry to find if we are still under the starting point. The capability rights are also checked using the nlookup flag. For instance, if NLC_RENAME_SRC is set, the filedescriptor used as a starting point of the lookup must have CAP_UNLINK set. This is mostly working, as far as I know, but more testing is needed for such a critical part of the sandboxing mechanism. For instance, if there is a NFS mount, bad things could happen. * Most of the kernel has been converted to capsicum API. I've read all the code of the syscalls which deal with file descripors to determine which rights they need. It's not perfect, because for a few of them, I could not decide, and left the issue for later. * I've reworked the Unix domain socket code handling filedescriptor passing to take capabilities into account. The capability rights attached to a descriptor are also passed and the receiving process gets a filedescriptor with the same rights than the sending process. This is the basis of capsicum. The tests pass, but more tests are needed to check that I did not broke the garbage collection of revoked file descriptors. * I've added connectat and bindat syscalls for unix domain sockets, which are juts like the other *at syscalls. * There is no man pages yet. FreeBSD wrote a few of them, but I did not feel like adapting them since I knew the API would change again. This is the end of GSOC, and I really enjoy working with dragonfly this summer, and with dragonfly's people. But it's certainly not the end of my capsicum work :) Stay tune for further updates. Regards, Joris
