Skip to content

refactor: FreeBSD platform support cleanup#205

Merged
domcyrus merged 8 commits into
mainfrom
feat/freebsd-capsicum-sandbox
Apr 6, 2026
Merged

refactor: FreeBSD platform support cleanup#205
domcyrus merged 8 commits into
mainfrom
feat/freebsd-capsicum-sandbox

Conversation

@domcyrus

@domcyrus domcyrus commented Mar 26, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

  • Remove Capsicum sandbox implementation — per-FD cap_rights_limit() without cap_enter() does not provide meaningful security (cannot prevent opening new files or sockets)
  • Clean up FreeBSD platform code: remove unused imports, dead struct fields
  • Update SECURITY.md to document that FreeBSD sandboxing is not yet available
  • Add full Capsicum sandbox plan to ROADMAP.md (requires cap_enter() + libcasper + libprocstat migration)

Context

Testing on FreeBSD revealed that the Capsicum sandbox as implemented only restricts already-opened FDs to write-only. Without cap_enter(), a compromised process can still open() arbitrary files (e.g. SSH keys) and connect() to exfiltrate data. Implementing cap_enter() requires switching from sockstat subprocess to libprocstat(3) library calls and integrating libcasper for privileged sysctl access from inside capability mode — tracked in ROADMAP.md.

Test plan

  • Verify macOS build compiles cleanly
  • Verify FreeBSD build compiles via CI (trigger test-platform-builds workflow)
  • Confirm Linux builds unaffected (CI matrix)
  • Run on FreeBSD — security panel shows privilege info without sandbox status

domcyrus added 6 commits March 26, 2026 18:51
@domcyrus
feat: add Capsicum sandbox for FreeBSD
a8d386a 
Restrict output file descriptors to write-only after initialization
using cap_rights_limit(). Uses per-FD restrictions instead of
cap_enter() to preserve sockstat subprocess for process identification.
@domcyrus
fix(freebsd): document cap_enter limitation, use into_raw_fd, add FFI…
b07a384 
… safety notes

Document that without cap_enter() the sandbox is FD-level hardening only.
Replace std::mem::forget(file) with the more idiomatic file.into_raw_fd().
Add safety comments for the variadic __cap_rights_init FFI call.
@domcyrus
fix(freebsd): add missing anyhow::Context import for .context() calls
c09c402
@domcyrus
fix(freebsd): re-export sandbox module from platform mod
0c3419b
@domcyrus
fix(freebsd): remove unused imports and dead field on FreeBSD target
3a20868
@domcyrus
remove Capsicum sandbox from FreeBSD (not effective without cap_enter)
671994a
@domcyrus domcyrus changed the title feat: add Capsicum sandbox for FreeBSD refactor: FreeBSD platform support cleanup Apr 6, 2026
@domcyrus domcyrus merged commit eec74e4 into main Apr 6, 2026
21 checks passed
domcyrus added a commit that referenced this pull request Apr 9, 2026
@domcyrus
Release v1.2.0
b5e2397 
- Windows restricted token sandbox (#206)
- macOS Seatbelt sandboxing, later tightened (#196, #203)
- Linux sandbox hardening: drop capabilities and clear ambient set (#208)
- UI: process privilege shown in security section (#197)
- Filter: exact port matching and regex support (#195)
- VLAN support in PKTAP/SLL parsers and L3 extraction (#202, #199)
- IGMP protocol parsing (#209)
- Process name for wildcard /proc/net entries (#218)
- CPU efficiency improvements in sort/snapshot/rate/timeout paths (#213, #220, #212, #222) — thanks @deepakpjose
- FreeBSD platform cleanup (#205)
- Fix default interface selection (#194), root detection on Unix (#192)
- Dependency updates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@domcyrus