Google Research

A taste of Capsicum: practical capabilities for UNIX

  • Robert N. M. Watson
  • Jonathan Anderson
  • Ben Laurie
  • Kris Kennaway
Communications of the ACM, vol. 55(3) (2012), pp. 97-104

Abstract

Capsicum is a lightweight operating system (OS) capability and sandbox framework planned for inclusion in FreeBSD 9. Capsicum extends, rather than replaces, UNIX APIs, providing new kernel primitives (sandboxed capability mode and capabilities) and a userspace sandbox API. These tools support decomposition of monolithic UNIX applications into compartmentalized logical applications, an increasingly common goal that is supported poorly by existing OS access control primitives. We demonstrate our approach by adapting core FreeBSD utilities and Google

Learn more about how we do research

We maintain a portfolio of research projects, providing individuals and teams the freedom to emphasize specific types of work