[capsicum] Capsicum and OpenBSD



Hi,

There's some interest among OpenBSD developers (myself included) in
supporting Capsicum on OpenBSD.  The FreeBSD and OpenBSD kernels have
diverged enough that I expect we'll mostly just reimplement the kernel
side of things, but it would be nice if we could coordinate efforts so
that userland code is portable across Capsicum-implementing operating
systems.

I have a diff to add basic cap_enter(2) and cap_getmode(2) system
calls to OpenBSD (currently just a small whitelist of safe system
calls, and calls to anything else SIGKILL the process), and I'm
working on finishing up support for the openat(2) family of functions
from POSIX 2008 that Capsicum needs.  Once that's done, I'll start
work on the capability descriptors and other features as necessary
(process descriptors? O_EXEC/O_SEARCH? fexecve? dynamic linker
support?).

It would be nice to at least support the OpenSSH and Chromium
sandboxes on OpenBSD.  Advice on how best to tackle this would be
appreciate. :-)

Regards,
Matthew




This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.