Using capsicum with sqlite?

[Marc Coquand]

Hey Freebsd community,

I'm trying to make sense of how Capsicum is intended to work.

I want to create an app that accesses a SQLite database (with WAL), and
nothing else. I figured Capsicum would be a the way to lock down this program.

As I understand Capsicum, you open the file descriptors that you're going
to use and then use cap_enter to lock down the program, and afterward you
can no longer open any new files.

I am curious how I am supposed to use Capsicum together with sqlite, as all
the libraries that I've used for sqlite works by passing a string to the
filepath of the database, and for wal some files are opened dynamically ,so
the file descriptors aren't known. Does that mean it isn't possible to use
Sqlite with Capsicum?

Marc

[Souji Thenria]

Hi Marc,

Jake Freeland gave a talk at the last EuroBSDCon about Capsicum and how
to use it, which was based on his blog post [1].

As I see it, you have two options:
1. Use Capsicum for everything except the (write) interactions with the
SQLite database. If you cannot determine which files the SQLite library
will open, you may still be able to improve the security of other parts
of your program by sandboxing those other parts.

2. It appears possible to restrict file access to a specific directory
("sub-domains"). If you know where the WAL files are created, you might
be able to grant access only to that directory and then open or close
files within it as needed.

I haven't used Capsicum with SQLite myself, but I hope this helps.

Regards,
Souji

[1] https://cdaemon.com/posts/capsicum

--
Souji Thenria
Website: www.souji-thenria.net