Computer Laboratory

Capsicum: practical capabilities for UNIX

logo Capsicum - Code

Capsicum is available under a BSD license, in order to encourage open source, research, and commercial deployment. There are no formal releases yet, as Capsicum is under active development. However, you can download interim snapshots and track development in our FreeBSD.org and code.google.com repositories.

Capsicum kernel and linker infrastructure

We have modified the base FreeBSD distribution in the following ways:

  • Added process descriptors
  • Added capabilities
  • Added capability mode
  • Added SOCK_SEQPACKET support to UNIX domain sockets
  • Modified ELF run-time linker for sandboxing
  • Added libcapsicum: host/sandbox support library
  • Modified gzip(1) running compression/decompression in a sandbox
  • Modified sshd, dhclient, tcpdump, making use of capability sandboxes

Kernel and runtime linker portions of Capsicum are being developed in the public FreeBSD perforce depot, in a branch derived from the FreeBSD development head. The development version may be Capsicum may be browsed online using the Perforce web interface. Developers with access to the FreeBSD Project's Perforce repository can check out the following branch: 

    //depot/projects/trustedbsd/capabilities/...

We are maintaining a backport of Capsicum to FreeBSD 8.x to make Capsicum more accessible as an application development platform. This may be browsed online using the Subversion web interface, or checked out of the svn repository: 

    svn co http://svn.freebsd.org/base/projects/capabilities8

The normal FreeBSD world/kernel upgrade procedure applies from the capabilities8 branch; FreeBSD 8.0-RC1 is the current recommended baseline from which to build and install capabilities8.

Capsicum libraries and user angels

Higher level libraries, toolkits, and sample applications are maintained in dedicated projects on code.Google.com: 

    svn co http://capsicum-core.googlecode.com/svn/trunk/

Capsicum enhancements to Chromium

Port of Google's Chromium web browser to FreeBSD, along with enhancements to use Capsicum's capability mode and capability primitives to sandbox browser HTML and JavaScript rendering. 

    git clone git://github.com/rwatson/chromium-capsicum.git src
cd src ; git checkout chromium-capsicum ; cd ..

Find out more, including build and install instructions, on the Chromium-Capsicum wiki page. The github repository, with history, may be found here.