Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Ports Capsicum To Linux, and Other End-of-Year Capsicum News

Posted by Unknown on Wednesday January 8, 2014 @06:00AM from the eros-lives-on dept.

An anonymous reader writes "Security researcher Robert Watson at the University of Cambridge has posted a blog article describing recent progress on the Capsicum security model, which will shortly appear in FreeBSD 10.0 enabled by default, and has now been ported to Linux by Google, who have posted patches with the intent to upstream to the Linux kernel." Capability systems are pretty interesting.

2 of 71 comments (clear)

Min score:

Reason:

Sort:

Re:OMG! by allanjude8027 · 2014-01-08 06:31 · Score: 5, Informative

The video explains it, but it allows programs to 'drop' capabilities they no longer need. For example, tcpdump needs root access to open the network interface, but after that it can give up those capabilities, so if there is a bug in tcpdump and it gets compromised by a maliciously crafted packet, the attacker does not have an excess privileges to exploit.
Re:OMG! by Anonymous Coward · 2014-01-08 06:31 · Score: 5, Informative

http://www.cl.cam.ac.uk/research/security/capsicum/
Capsicum is a lightweight OS capability and sandbox framework developed at the University of Cambridge Computer Laboratory, supported by a grant from Google. Capsicum extends the POSIX API, providing several new OS primitives to support object-capability security on UNIX-like operating systems
More at the link...