I spent a bit of time reading about Capsicum which is Unix with certain additional capability functions.
I was surprised that they found some useful capability function to add to Unix and a feasible way to do it.
I think that the following is accurate:<ul>
<li>There are a small fixed number of object types, mostly objects that Unix already defines.
<li>There are parameterizable attenuation objects that may be had.
<li>All the behavior of objects is defined by code in the privileged kernel.
<li>User mode code can be confined to acting only via capabilities.
<li>Most extant Unix user mode code can not function under such constraints.
<li>Much extant Unix user mode code can be adapted to run that way, and without changing many of the system calls that have been redefined to invoke capabilities.
<li>Capabilities can be passed thru classic communications channels, just as file descriptors.
<li>Files and pipes are accessible as capabilities.
<li>I think capabilities cannot reside in directories, which seems anomalous.
</ul>
The ‘file descriptors’ of Unix have always felt a little bit like capabilities and gradually became more so as Unix evolved.
They become much more like capabilities in Capsicum.
It seems to me like the most significant missing feature that is expected of capability platforms is the ability to define new sorts of objects whose defining code is not in the TCB of other programs.
<p>Nonetheless Capsicum does seem to supplant the need for Google’s NaCl and this seems strategic.
<hr><a href=https://github.com/google/capsicum-linux>Capsicum at Gituub</a>
<br><a href=Thesis.html>Watson’s Thesis</a>,
<a href=ovvvo.html>Object-Verb vs. Verb-Object</a>,
<a href=Sources.html>Kernel Sources</a>,
<a href=KC.html>notes on docs</a>,
<a href=BadInter.html>cap bugs</a>
<br><a href=http://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201406-isca2014-cheri.pdf>With new cap hardware</a>
<br>Ben Laurie refers to <a href=https://www.freebsd.org/cgi/man.cgi?query=rights&apropos=0&sektion=0&manpath=FreeBSD+11.1-RELEASE+and+Ports&arch=default&format=html>this</a> as defining ‘rights’ in a Capsicum context.