Capsicum capability framework
E427681
The Capsicum capability framework is a security model and API for fine-grained sandboxing and privilege separation in Unix-like operating systems.
All labels observed (1)
| Label | Occurrences |
|---|---|
| Capsicum capability framework canonical | 1 |
How this entity was disambiguated
This entity first appeared as the object of triple T4279159 — resolving that mention is where its identity was fixed. The disambiguator weighed these candidate entities and picked the highlighted one (or “None”, minting a new entity). This is how homonymy is resolved: the same surface form can point to different entities.
Target entity: Capsicum capability framework Context triple: [FreeBSD, supportsSecurityFeature, Capsicum capability framework]
-
A.
Creating Capabilities
"Creating Capabilities" is a philosophical work by Martha Nussbaum that develops and defends the capabilities approach as a framework for assessing human well-being, justice, and development.
-
B.
AppArmor
AppArmor is a Linux kernel security module that confines programs to a limited set of resources using per-application security profiles to reduce the impact of vulnerabilities and attacks.
-
C.
CSAF
CSAF is the acronym for the highest-ranking officer and principal military advisor in the United States Air Force, the Chief of Staff of the Air Force.
-
D.
Kernel Self Protection Project
The Kernel Self Protection Project is a security-focused initiative aimed at hardening the Linux kernel against vulnerabilities and exploitation through proactive defensive features and development practices.
-
E.
Linux Security Modules API
The Linux Security Modules API is a kernel-level framework in Linux that allows the implementation of pluggable security policies and access control mechanisms such as AppArmor and SELinux.
- F. None of above. chosen
- G. Unsure - the case is ambiguous/there is not enough information to decide.
Target entity: Capsicum capability framework Target entity description: The Capsicum capability framework is a security model and API for fine-grained sandboxing and privilege separation in Unix-like operating systems.
-
A.
Creating Capabilities
"Creating Capabilities" is a philosophical work by Martha Nussbaum that develops and defends the capabilities approach as a framework for assessing human well-being, justice, and development.
-
B.
AppArmor
AppArmor is a Linux kernel security module that confines programs to a limited set of resources using per-application security profiles to reduce the impact of vulnerabilities and attacks.
-
C.
CSAF
CSAF is the acronym for the highest-ranking officer and principal military advisor in the United States Air Force, the Chief of Staff of the Air Force.
-
D.
Kernel Self Protection Project
The Kernel Self Protection Project is a security-focused initiative aimed at hardening the Linux kernel against vulnerabilities and exploitation through proactive defensive features and development practices.
-
E.
Linux Security Modules API
The Linux Security Modules API is a kernel-level framework in Linux that allows the implementation of pluggable security policies and access control mechanisms such as AppArmor and SELinux.
- F. None of above. chosen
Statements (49)
| Predicate | Object |
|---|---|
| instanceOf |
Unix security mechanism
ⓘ
capability-based security framework ⓘ sandboxing framework ⓘ security model ⓘ |
| basedOn | capability-based security ⓘ |
| category |
computer security software
ⓘ
operating system security ⓘ |
| designInfluencedBy |
least-privilege design principle
ⓘ
object-capability model ⓘ |
| documentation |
FreeBSD Handbook
NERFINISHED
ⓘ
academic research papers on Capsicum ⓘ |
| feature |
capability rights masks
ⓘ
disables global namespaces in capability mode ⓘ library support for sandboxing ⓘ per-descriptor rights reduction ⓘ restricts access to global file system namespace ⓘ restricts access to network sockets ⓘ restricts access to process identifiers ⓘ uses file descriptors as capabilities ⓘ |
| goal |
enable incremental adoption in existing codebases
ⓘ
minimize trusted computing base of applications ⓘ support application compartmentalization without rewriting entire applications ⓘ |
| hasAPI | POSIX-like C API ⓘ |
| hasDeveloper |
FreeBSD Project
NERFINISHED
ⓘ
Google NERFINISHED ⓘ University of Cambridge NERFINISHED ⓘ |
| introducedIn | FreeBSD 9.0 NERFINISHED ⓘ |
| license | BSD-style license ⓘ |
| mainDeveloper |
Ben Laurie
NERFINISHED
ⓘ
Robert N. M. Watson NERFINISHED ⓘ |
| notablePaper | Capsicum: practical capabilities for UNIX (USENIX Security 2010) NERFINISHED ⓘ |
| operatingSystem |
CheriBSD
NERFINISHED
ⓘ
DragonFly BSD NERFINISHED ⓘ FreeBSD NERFINISHED ⓘ Linux ⓘ NetBSD NERFINISHED ⓘ OpenBSD NERFINISHED ⓘ |
| provides |
capability file descriptors
ⓘ
capability mode ⓘ object-capability API ⓘ system call wrappers for capability checks ⓘ |
| supports |
application compartmentalization
ⓘ
fine-grained sandboxing ⓘ least privilege ⓘ privilege separation ⓘ |
| targetPlatform | Unix-like operating systems ⓘ |
| usedFor |
sandboxing language runtimes
ⓘ
sandboxing media processing applications ⓘ sandboxing network-facing daemons ⓘ |
How these facts were elicited
The pipeline generated the facts above by prompting gpt-5.1 with this entity's name + description and the instruction below.
You are a knowledge base construction expert. Given a subject entity and a description of it, return factual statements that you know for the subject as a JSON list of dictionaries(triples), where keys must be "subject", "predicate" and "object". The number of facts may be very high, between 25 to 50 or more, for very popular subjects. For less popular subjects, the number of facts can be very low, like 5 or 10. # Requirements - If you don't know the subject at all, return an empty list. - If the subject is not a named entity, return an empty list. - Include at least one triple where predicate is "instanceOf". - Do not get too wordy. - Separate several objects into multiple triples with one object.
Subject: Capsicum capability framework Description of subject: The Capsicum capability framework is a security model and API for fine-grained sandboxing and privilege separation in Unix-like operating systems.
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.