Capsicum Capsicum [ Wat + 10 ] is a framework for principled , coherent compartmentalization of FreeBSD applications

18 FreeBSD Journal It is principled in that it draws from a rich history in computer security concepts such as capabilities, tokens that authorize their bearers to perform actions such as read from a file (using a file descriptor as a token very like a capability) or call a method (using an object reference as a capability). Capsicum is coherent in that it applies clear, simple security policies uniformly across applications. It is not possible—as can be the case in other schemes—to restrict an application’s access to one set of operations while leaving equivalent operations available for use. When we describe Capsicum as providing principled, coherent compartmentalization, we mean that it allows applications to break themselves up into compartments that are isolated from each other and from other applications. Just as privacy-friendly companies put their users’ data encryption keys out of their own reach, Capsicum allows applications and their compartments to give up certain abilities in order to protect other compartments, other applications, and—ultimately—their users. However, a significant limitation of Capsicum today is that it only works when applications voluntarily give up the right to perform certain actions. It works with applications that understand Capsicum and that have been modified to take advantage of it; up to now, Capsicum has provided no mechanisms for confining applications without their cooperation. This is our long-term goal: to put applications into sandboxes without needing to modify the applications themselves, such that