A taste of Capsicum: practical capabilities for UNIX
Venue
Communications of the ACM, vol. 55(3) (2012), pp. 97-104
Publication Year
2012
Authors
Robert N. M. Watson, Jonathan Anderson, Ben Laurie, Kris Kennaway
BibTeX
Abstract
Capsicum is a lightweight operating system (OS) capability and sandbox framework
planned for inclusion in FreeBSD 9. Capsicum extends, rather than replaces, UNIX
APIs, providing new kernel primitives (sandboxed capability mode and capabilities)
and a userspace sandbox API. These tools support decomposition of monolithic UNIX
applications into compartmentalized logical applications, an increasingly common
goal that is supported poorly by existing OS access control primitives. We
demonstrate our approach by adapting core FreeBSD utilities and Google
