Add Capsicum sandboxing for FreeBSD

Implement Capsicum capability mode for the main, resolver, and logger
processes on FreeBSD, matching the existing pledge/unveil (OpenBSD)
and seccomp-bpf (Linux) sandboxing.

Each sandboxed process calls cap_enter() after initialization,
restricting it to operations on already-open file descriptors.
Per-fd rights are limited via cap_rights_limit() on IPC sockets.

Resolver: eagerly initializes DoT SSL context (CA bundle loading)
before cap_enter() since filesystem access is needed. c-ares channel
is initialized before cap mode; socket/connect/sendto for DNS queries
work on new fds which get full rights in capability mode.

Logger: enters capability mode in the PRIVILEGES handler, after all
initial sinks have been created. Pre-opens parent directories for
each file sink and stores dirfd per ChildSink. Log rotation on
SIGHUP uses openat() on the pre-opened dirfd. Syslog is
pre-connected before cap_enter().

Main: checks config for AF_UNIX listeners, fallbacks, and backends;
skips cap_enter() if any are found since connect()/bind() to Unix
socket paths require VFS lookups forbidden in capability mode.
Pre-opens config directory for SIGHUP reload via openat(), and temp
directory for SIGUSR1 debug dumps. Sets logger_parent_fs_locked
after cap_enter() so the parent does not attempt path-based opens
during reload.

Binder: not sandboxed with Capsicum because it must bind() AF_UNIX
paths for Unix domain socket listeners.

Build system detects cap_enter() and cap_rights_limit() on FreeBSD
and defines HAVE_CAPSICUM. All capsicum code is guarded by
__FreeBSD__ && HAVE_CAPSICUM ifdefs, compiling as no-ops elsewhere.

Set SNIPROXY_DISABLE_CAPSICUM=1 to bypass for debugging.

Author: renaudallard

README.md

@@ -72,6 +72,7 @@ Features
   spoofed sources
 + **Privilege separation**: Separate processes for logging and DNS resolution
 + **OpenBSD sandboxing**: pledge(2) and unveil(2) for minimal system access
++ **FreeBSD sandboxing**: Capsicum capability mode with per-fd rights limiting
 + **Input sanitization**: Hostname validation, control character removal
 + **Comprehensive fuzzing**: Protocol fuzzers for TLS, DTLS, HTTP/2, XMPP,
   Minecraft, hostname, address, config, listener ACL, IPC crypto, and resolver
@@ -571,6 +572,19 @@ All paths are collected from the loaded configuration, so custom locations work
 as long as files/directories exist before launch. Helper processes are forked
 (not exec'd) and inherit the master key for IPC encryption.
 
+### FreeBSD Sandboxing
+
+On FreeBSD, SNIProxy uses Capsicum capability mode to restrict each process after initialization:
+
+- **Resolver process**: DoT SSL context is eagerly initialized before entering capability mode (since CA bundle loading requires filesystem access). The IPC socket is limited to read/write/send/recv/event rights.
+- **Logger process**: Enters capability mode after privilege drop. Pre-opened directory fds allow log file rotation via `openat()` in capability mode. Syslog is pre-connected before `cap_enter()`. The IPC socket is limited to read/write/send/recv/event rights.
+- **Main process**: Config directory and temp directory are pre-opened before entering capability mode. Config reload uses `openat()` on the pre-opened directory fd. Debug dumps use `openat()` on the pre-opened temp directory fd.
+- **Binder process**: Not sandboxed with Capsicum because it must `bind()` AF_UNIX paths, which requires VFS lookups forbidden in capability mode.
+
+The main process skips capability mode when any listener, fallback, or backend address is a Unix domain socket, since `connect()` and `bind()` to AF_UNIX paths require VFS lookups forbidden in capability mode. IP-only configurations (the common case) get full Capsicum protection. Adding new log file paths during SIGHUP reload is not supported in capability mode (existing log files can be reopened).
+
+Set `SNIPROXY_DISABLE_CAPSICUM=1` in the environment to disable Capsicum sandboxing for debugging.
+
 Performance Notes
 -----------------
 

configure.ac

@@ -245,6 +245,17 @@ case "$host_os" in
 esac
 AC_SUBST([LIBSECCOMP_LIBS])
 
+# Check for Capsicum (FreeBSD only)
+case "$host_os" in
+  freebsd*)
+    AC_CHECK_HEADERS([sys/capsicum.h])
+    AC_CHECK_FUNCS([cap_enter cap_rights_limit])
+    AS_IF([test "x$ac_cv_func_cap_enter" = xyes -a "x$ac_cv_func_cap_rights_limit" = xyes], [
+      AC_DEFINE([HAVE_CAPSICUM], 1, [Define to 1 if Capsicum is available])
+    ])
+    ;;
+esac
+
 AC_CHECK_FUNCS([accept4 closefrom daemon setproctitle mkostemp explicit_bzero memset_s])
 
 # Enable large file support (so we can log more than 2GB)

man/sniproxy.8

@@ -94,6 +94,35 @@ or
 .B SIGINT\fR, \fBSIGTERM
 Shut down gracefully\&.
 
+.SH SANDBOXING
+On OpenBSD,
+\fBsniproxy\fR
+uses
+\fBpledge\fR(2)
+and
+\fBunveil\fR(2)
+to restrict each process to the minimum set of system calls and
+filesystem paths required\&.
+.PP
+On FreeBSD,
+\fBsniproxy\fR
+uses Capsicum capability mode
+(\fBcap_enter\fR(2))
+and per-fd rights
+(\fBcap_rights_limit\fR(2))
+to confine each process after initialization\&.
+Directories needed for config reload and log rotation are pre-opened
+so that
+\fBopenat\fR(2)
+works inside capability mode\&.
+Set
+.B SNIPROXY_DISABLE_CAPSICUM
+in the environment to disable Capsicum sandboxing\&.
+.PP
+On Linux,
+\fBsniproxy\fR
+uses seccomp-bpf to restrict available system calls per process\&.
+
 .SH "SEE ALSO"
 .PP
 \fBsniproxy.conf\fR(5)

src/Makefile.am

@@ -14,6 +14,8 @@ sniproxy_common_sources = address.c \
                           binder.h \
                           buffer.c \
                           buffer.h \
+                          capsicum.c \
+                          capsicum.h \
                           cfg_parser.c \
                           cfg_parser.h \
                           cfg_tokenizer.c \

src/binder.c

@@ -410,6 +410,10 @@ binder_main(int sockfd) {
         }
     }
 
+    /* Capsicum is not used for the binder process because it must
+     * call bind() on AF_UNIX paths, which requires VFS lookups
+     * that are forbidden in capability mode. */
+
     for (;;) {
         uint8_t *plain = NULL;
         size_t plain_len = 0;

src/capsicum.c

@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2025, Renaud Allard <renaud@allard.it>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "capsicum.h"
+
+#if defined(__FreeBSD__) && defined(HAVE_CAPSICUM)
+
+#include <sys/capsicum.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int
+capsicum_available(void) {
+    const char *disable_env = getenv("SNIPROXY_DISABLE_CAPSICUM");
+    if (disable_env != NULL && disable_env[0] != '\0')
+        return 0;
+    return 1;
+}
+
+int
+capsicum_enter(void) {
+    if (cap_enter() < 0) {
+        if (errno == ENOSYS)
+            return 0;
+        return -1;
+    }
+
+    return 0;
+}
+
+#else /* !(__FreeBSD__ && HAVE_CAPSICUM) */
+
+int
+capsicum_available(void) {
+    return 0;
+}
+
+int
+capsicum_enter(void) {
+    return 0;
+}
+
+#endif

src/capsicum.h

@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2025, Renaud Allard <renaud@allard.it>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef SNIPROXY_CAPSICUM_H
+#define SNIPROXY_CAPSICUM_H
+
+int capsicum_available(void);
+int capsicum_enter(void);
+
+#endif /* SNIPROXY_CAPSICUM_H */

src/config.c

@@ -53,6 +53,11 @@
 #include "logger.h"
 #include "connection.h"
 #include "binder.h"
+#include <fcntl.h>
+#include <unistd.h>
+#if defined(__FreeBSD__) && defined(HAVE_CAPSICUM)
+#include <libgen.h>
+#endif
 
 
 struct LoggerBuilder {
@@ -78,6 +83,8 @@ enum GlobalACLPolicy {
 
 static enum GlobalACLPolicy global_acl_policy = GLOBAL_ACL_POLICY_UNSET;
 static int allow_group_read = 0;
+static int config_dirfd = -1;
+static char *config_basename = NULL;
 
 static int accept_username(struct Config *, const char *);
 static int accept_groupname(struct Config *, const char *);
@@ -518,11 +525,32 @@ init_config(const char *filename, struct ev_loop *loop, int fatal_on_perm_error)
 
     global_acl_policy = GLOBAL_ACL_POLICY_UNSET;
 
-    FILE *file = fopen(config->filename, "r");
-    if (file == NULL) {
-        err("%s: unable to open configuration file: %s", __func__, config->filename);
-        free_config(config, loop);
-        return NULL;
+    FILE *file;
+    if (config_dirfd >= 0 && config_basename != NULL) {
+        int cfd = openat(config_dirfd, config_basename,
+                O_RDONLY | O_CLOEXEC);
+        if (cfd < 0) {
+            err("%s: unable to open configuration file: %s",
+                    __func__, config->filename);
+            free_config(config, loop);
+            return NULL;
+        }
+        file = fdopen(cfd, "r");
+        if (file == NULL) {
+            close(cfd);
+            err("%s: unable to open configuration file: %s",
+                    __func__, config->filename);
+            free_config(config, loop);
+            return NULL;
+        }
+    } else {
+        file = fopen(config->filename, "r");
+        if (file == NULL) {
+            err("%s: unable to open configuration file: %s",
+                    __func__, config->filename);
+            free_config(config, loop);
+            return NULL;
+        }
     }
 
     /* Check permissions on opened file to prevent TOCTOU.
@@ -1984,3 +2012,40 @@ int
 config_get_allow_group_read(void) {
     return allow_group_read;
 }
+
+#if defined(__FreeBSD__) && defined(HAVE_CAPSICUM)
+int
+config_prepare_capsicum(const char *filename) {
+    char *pathcopy, *dir, *base;
+
+    if (filename == NULL)
+        return -1;
+
+    pathcopy = strdup(filename);
+    if (pathcopy == NULL)
+        return -1;
+    dir = dirname(pathcopy);
+
+    config_dirfd = open(dir, O_RDONLY | O_DIRECTORY | O_CLOEXEC);
+    free(pathcopy);
+    if (config_dirfd < 0)
+        return -1;
+
+    pathcopy = strdup(filename);
+    if (pathcopy == NULL) {
+        close(config_dirfd);
+        config_dirfd = -1;
+        return -1;
+    }
+    base = basename(pathcopy);
+    config_basename = strdup(base);
+    free(pathcopy);
+    if (config_basename == NULL) {
+        close(config_dirfd);
+        config_dirfd = -1;
+        return -1;
+    }
+
+    return 0;
+}
+#endif

src/config.h

@@ -76,5 +76,8 @@ void free_config(struct Config *, struct ev_loop *);
 void print_config(FILE *, struct Config *);
 void config_set_allow_group_read(int);
 int config_get_allow_group_read(void);
+#if defined(__FreeBSD__) && defined(HAVE_CAPSICUM)
+int config_prepare_capsicum(const char *);
+#endif
 
 #endif