Capsicum

submited 09 November 2018

Imagine an application that can do anything with your data. Literally anything. Imagine an application which can get your private photos and send them over the internet to some external server. In UNIX-like operating systems almost all applications can do that. If you had an exploitable bug in grep(1) somebody would be able to do so. If you had an exploitable bug in cat(1) somebody would be able to do so. When your application has access to all your user data we are talking about ambient authority.

What if you could do stuff another way? What if your application could have only a capability to use the things it really needs to use. What if you grep(1) would have only read-only rights to a file that it’s should parse, and it couldn’t create a network connection or send signals to different processes. This is a capability world which Capsicum implements.

The BSD community linklog
Made a script? Written a blog post? Found a useful tutorial? Share it with the BSD community here or just enjoy what everyone else has found!

Submit

28 March 2024
FreeBSD Errata Notice FreeBSD-EN-24:05.tty  

Under certain conditions an unprivileged user could provoke a kernel panic.

FreeBSD Errata Notice FreeBSD-EN-24:06.wireguard  

The part of the mbuf chain being sent along may contain some invalid state that causes a later fault and panic.

FreeBSD Errata Notice FreeBSD-EN-24:07.clang  

The compiler crashes instead of generating an object file.

FreeBSD Errata Notice FreeBSD-EN-24:08.kerberos  

Attempting to use weak crypto routines when the legacy provider is not loaded results in the application crashing.

FreeBSD Security Advisory FreeBSD-SA-24:03.unbound  

A trivially orchestrated attack could render all threads busy with such responses leading to denial of service.

27 March 2024
On Starting the 2024 FreeBSD Foundation Budget Journey  

FreeBSD Foundation shares their approach to the FreeBSD Foundation’s budget for 2024. Their commitment to supporting the FreeBSD community and project remains steadfast, funded entirely through the generous contributions of donations and grants.

TrueNAS CORE 13 is the end of the FreeBSD version  

The oldest vendor of BSD systems is changing direction away from FreeBSD and toward Linux. There are already mutterings about a fork, so let's see.

Enjoying DiscoverBSD? There is more...

Subscribe to BSD Weekly, our free, once–weekly e-mail round-up of BSD news and articles. It is currated from your content on DiscoverBSD and BSDSec (a deadsimple BSD Security Advisories and Announcements).

You can also support the work on Patreon.
22 March 2024
BSD Now 551: The Story of Port 22  

This week on the show, The story of SSH getting port 22, GGC using Clang, AuxRunner, Stabweek, Using a Kensington SlimBladePro on OpenBSD, and more...

21 March 2024
March 2024 Partnerships Update  

Two sponsored development projects that began at the end of Q4 ‘23 and in January are proceeding well. One, sponsored by RG Nets, is porting VPP to FreeBSD. The other is adding the IOMMU driver to support AMD chips with 512+ cores.

19 March 2024
OpenBSD Errata: March 18, 2024 (expat)  

Errata patches for libexpat XML library have been released for OpenBSD 7.3 and 7.4. Binary updates for the amd64, arm64 and i386 platform are available via the syspatch utility.

FreeBSD 2023 fundraising recap  

They’ve closed the books on their 2023 accounting, and can share that the FreeBSD Foundation raised $1,263,772.05 towards their goal last year. In article, you can learn what are they planning to use it for.

load more