On this page:
1.1 Quickstart
1.2 Advanced Installation
1.2.1 System requirements
1.2.2 Kernel modifications
1.2.3 Pre-requisites
1.2.4 Installation

1 Installation

Shill requires a few patches to the FreeBSD kernel to enable additional security checks that support capability-based sandboxing. To make getting started easy, we provide two installation options:

If you want to experiment with Shill or don’t use FreeBSD, choose Quickstart. If you want to install Shill on an existing FreeBSD system, choose Advanced Installation.

1.1 Quickstart

Download and install VirtualBox and Vagrant. Vagrant is a tool for distributing, configuring and running virtual machines.

Getting Shill up and running using Vagrant requires a Vagrant plugin for restarting the virtual machine during its initial configuration. Install it by running vagrant plugin install vagrant-reload.

To create a virtual machine with Shill installed, simply clone the git repository https://github.com/HarvardPL/shill and run vagrant up in the top-level directory of the repository.

Once the virtual machine has been provisioned, you can log into the machine using vagrant ssh, shut down the machine using vagrant halt, and launch it again using vagrant up.

The root password is "vagrant". In addition, there is a default user "vagrant" whose password is "vagrant". You can find Shill’s source code, including examples, in the "vagrant" user’s home directory.

The virtual machine has very few packages installed. You can install more using FreeBSD’s package manager. For instructions on installing a graphical user interface, see the FreeBSD handbook and the Vagrant VirtualBox provider documentation.

1.2 Advanced Installation

The advanced installation instructions assume familiarity with installing and configuring a FreeBSD system.

1.2.1 System requirements

Shill is currently compatible with FreeBSD version 9.3.0. Shill requires that mounted filesystems support the "multilabel" feature. In particular, Shill cannot be used with the zfs filesystem.

1.2.2 Kernel modifications

Shill requires patches to the Mandatory Access Control framework to support capability-based sandboxes. To install our modified kernel, clone the ShillBSD git repository, and then build and install the kernel.

1.2.3 Pre-requisites

Shill requires Racket 6.1, which can be installed from ports or by invoking pkg install racket.

Mounted filesystems should support the "multilabel" feature. You can enable "multilabel" with tunefs -l enable / while in single-user mode.

1.2.4 Installation

First, clone the shill git repository. From the top-level directory, compile Shill with make and then install with make install. Installation requires superuser privileges.

To enable Shill’s capability based sandbox, you must activate the Shill kernel module by adding the line shill_load="YES" to the file /boot/loader.conf and rebooting.

Shill is now ready for use.