Capsicum: OS capability and sandbox framework

Capsicum is a lightweight OS capability and sandbox framework developed at the University of Cambridge Computer Laboratory.

Capsicum extends the POSIX API, providing several new OS primitives to support object-capability security on UNIX-like operating systems:

• capabilities – refined file descriptors with fine-grained rights
• capability mode – process sandboxes that deny access to global namespaces
• process descriptors – capability-centric process ID replacement
• anonymous shared memory objects – an extension to the POSIX shared memory API to support anonymous swap objects associated with file descriptors (capabilities)
• rtld-elf-cap – modified ELF run-time linker to construct sandboxed applications
• libcapsicum – library to create and use capabilities and sandboxed components
• libuserangel – library allowing sandboxed applications or components to interact with user angels, such as Power Boxes.
• chromium-capsicum – a version of Google’s Chromium web browser that uses capability mode and capabilities to provide effective sandboxing of high-risk web page rendering.

Capsicum has been prototyped on FreeBSD 8.x, and the experimental code is BSD-licensed to encourage open source, research, and commercial deployment.