Congratulations Joris !
On Mon, Sep 23, 2013 at 12:29 AM, Joris Giovannangeli <[email protected]> wrote: > Hi, > > this is my final GSOC report. This week, I've been working on the new > capsicum API written by FreeBSD. I've been mostly trying to redesign the > implementation, because I was no happy with it, but I had to wait to > talk with Matt Dillon on friday for him to find a good design. I've been > writing an awk script and part of the implementation during this Week end. > > The GSOC ends, but my capsicum implementation is far from finished. A > quick summary of what I did : > > * capabality rights attached on filedescriptor are finished and I think > quite stable. My vkernel survived a buildworld, but I've not done any > test on real hardware yet. > > * The ioctls whilelists attached to filedescriptor are also working. > The test suite from freeBSD for both capability rights and ioctls > whitelist passes. > > * process descriptors have been added, but left untouched since july. > They were working, but pdwait is not implemented yet, nor kqueue on > process descriptor. > > * Path resolution has been adapted to capsicum. Absolute lookups are > forbidden in capability mode, including following symlinks. Only strict > relative lookups are allowed, which means that the resolved namecache > entry must be under the starting point. The semantic is different than > the freeBSD implementation, because freeBSD forbid ".." in the path to > enforce strictly relative lookup. Dillon proposed a different solution > to avoid the races when can occurs with rename and open are performend > at the same time : we walk the namecache upwards from the resolved > namecache entry to find if we are still under the starting point. The > capability rights are also checked using the nlookup flag. For instance, > if NLC_RENAME_SRC is set, the filedescriptor used as a starting point of > the lookup must have CAP_UNLINK set. This is mostly working, as far as I > know, but more testing is needed for such a critical part of the > sandboxing mechanism. For instance, if there is a NFS mount, bad things > could happen. > > > * Most of the kernel has been converted to capsicum API. I've read all > the code of the syscalls which deal with file descripors to determine > which rights they need. It's not perfect, because for a few of them, I > could not decide, and left the issue for later. > > * I've reworked the Unix domain socket code handling filedescriptor > passing to take capabilities into account. The capability rights > attached to a descriptor are also passed and the receiving process gets > a filedescriptor with the same rights than the sending process. This is > the basis of capsicum. The tests pass, but more tests are needed to > check that I did not broke the garbage collection of revoked file > descriptors. > > * I've added connectat and bindat syscalls for unix domain sockets, > which are juts like the other *at syscalls. > > * There is no man pages yet. FreeBSD wrote a few of them, but I did not > feel like adapting them since I knew the API would change again. > > This is the end of GSOC, and I really enjoy working with dragonfly this > summer, and with dragonfly's people. But it's certainly not the end of > my capsicum work :) Stay tune for further updates. > > Regards, > Joris -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
