Capsicum User Space

In this post, we will work towards building libcapability from capsicum-core building under linux.

As a word of warning, this may not be the cleanest, most professional way of getting things building. In general, you shouldn’t do things like this ^_^

Since we are using the linux version, there are a few changes that need to be made. Namely, we don’t have cap_enter defined in libc, which the configure autoconf file looks for. To get around this, we will grab the capsicum header from the capsicum-test project, convert it into C code from C++, and place it in a system include location.

First, grab the repositories:

me@capsium $ svn co http://capsicum-core.googlecode.com/svn/trunk/ capsicum-core
me@capsium $ git clone git@github.com:influenza/capsicum-test.git
me@capsium $ pushd capsicum-test && git checkout convert-to-c && popd

We cloned my fork of the capsicum-test repository, as the pull request to fix compilation issues I was having hasn’t been reviewed and merged yet. Additionally, the convert-to-c branch has an updated capsicum.h that will compile as C code.

Update 14Feb2014 10:54:38 - The linux.cc compilation issue mentioned previously has been fixed in the google repository. I’ve got a pull request in regarding the C++ to C conversion.

Next, let’s place the header file someplace accessible:

me@capsium $ sudo mkdir /usr/include/capsicum
me@capsium $ sudo cp capsicum-test/capsicum.h /usr/include/capsicum/

Now we need the code in a few different ways. For the impatient, output of svn diff is available here.

First, update configure.ac to stop checking for cap_enter in libc. Remove this line:

AC_CHECK_LIB([c], [cap_enter], [], [exit -1])

Now we can generate the configure script:

me@capsium $ ./autogen.sh

Next, in libcapability.h, add an include statement for capsicum.h someplace. I chose line 24:

#include <capsicum/capsicum.h>

Now we need to define the __DECONST macro in libcapability.c - this macro can probably come from someplace sensible, but I couldn’t find it. Here’s the code I added (after the includes):

#ifndef __DECONST
#define __DECONST(type, var)    ((type)(uintptr_t)(const void *)(var))
#endif

Next, we need to restructure (pun intended) some declarations in libcapability_sandbox_api.h - each struct declaration ending with __packed should be changed like so:

Old:

struct foo {
  // ...
} __packed;

New:

struct __attribute__((packed)) foo {
  //...
};

With that step complete, we need to update the include path for procdesc.h. In libcapability_host.h, change the include of <sys/procdesc.h> to <linux/procdesc.h>.

Note that I’m assuming the APIs are compatible between the Linux procdesc and the BSD version. Here’s hoping!

With these changes in place, trying to run make yields one more error:

    libcapability_host.c:39:22: fatal error: sys/sbuf.h: No such file or directory
    compilation terminated.
    make: *** [libcapability_host.lo] Error 1

I’m currently trying to track down an sbuf implementation for Linux. In the meantime, check out the BSD manpage for it!

Stay tuned…