Re: capsicum(4): .. and SIGTRAP causing syscall really is in siginfo_t.si_errno?

From: Ed Maste <emaste_at_freebsd.org>
Date: Thu, 13 Apr 2023 18:19:10 UTC
On Wed, 12 Apr 2023 at 16:34, Steffen Nurpmeso <steffen@sdaoden.eu> wrote:
>
> I think capsicum is very, very smart and capable, like CloudABI
> was.  Yet very hard to work with as it needs so many new *at(),
> needs to have hooks to modify descriptors after accept(), and
> openat(), etc.  And needs user-path <> realpath(3) mappings .. the
> way i do it.)

Indeed. These limitations all stem from the properties that give
Capsicum its security properties (no access to global namespaces or
ambient authority). It is "relatively" straightforward to use when
incorporated into new software from the beginning, but certainly
harder to retrofit.

realpath is an interesting case, as in capability mode there is no
absolute root directory. All paths are necessarily relative to a
directory fd. The Casper fileargs service provides a realpath
replacement, but I've also started looking into what a Capsicum-native
realpathat would be.

> As i am very new with this -- am i correct assuming that once
> a capability was set on a directory or listening socket, opened
> / accepted FDs inherit the capability of "their parent"?

In general, yes. Rights can be removed or subsetted but not added.

> The capsicum(4) and rights(4) etc manuals are
> complete, but for someone without any real foreknowledge they miss
> some small hints, here and there.  Not that Linux does that
> better.  Or OpenBSD, where you need at least one unveil with "some
> meat" in order to apply it, even if you simply want no paths at
> all.  .. I think.)

I think capsicum(4) in particular could use more information, but man
pages are always going to be closer to reference material. The initial
Capsicum paper is a good read to understand Capsicum's design and
approaches that can be taken to refactor existing software:
https://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf

> I had the impression that casper uses a supervising process.

I wouldn't describe it as a "supervising process", but Casper does
indeed involve additional process(es). In essence Casper services are
performing the same work that an explicitly privilege-separated
process would do. With cap_fileargs for example you have one process
(that is not operating in capability mode) with access to the
filesystem (global namespace). That process opens files, and passes
file descriptors to the capability-mode process that performs the
work.