Trying out Capsicum on FreeBSD

Note: this article is very simple. I’ll add more to this article when I try more stuff with Capsicum.

Recently I heard this capability subsystem that I kept spelling as “Capsium” is supposed to easy to add to existing UNIX programs. The good news is, it is on FreeBSD right now, and I can use it! (You too!) The bad news is that it’s not on Linux, and probably never will be.

Reminder: Please apply the newest security patches on your FreeBSD installation before using Capsicum.

After installing FreeBSD, here’s the singular C program that I wrote to try out Capsicum.

#include <stdio.h>
#include <sys/capsicum.h>

int main() {
    cap_enter();
    puts("hello"); // write to stdout
    FILE* f = fopen("/etc/passwd", "r");
    printf("%p\n", f);
}

Then, I ran it with root (cc hello.c && ./a.out) and it gave me this output.

hello
0x0

It works! Capsicum seems super easy to use!

That’s it for now bye~