Date: Fri, 18 Jul 2008 13:05:42 -0700 From: Lyndon Nerenberg <lyndon@orthanc.ca> To: Robert Watson <rwatson@freebsd.org> Cc: Liste FreeBSD-security <freebsd-security@freebsd.org> Subject: Re: A new kind of security needed Message-ID: <05661513-E0DA-4B33-BD4E-FCF73943F332@orthanc.ca> In-Reply-To: <20080717085136.B87887@fledge.watson.org> References: <f383264b0807161710m285ed915m8ea9d088fbe83df9@mail.gmail.com> <alpine.BSF.1.00.0807162303490.34772@treehorn.dfmm.org> <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net> <20080717085136.B87887@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2008-Jul-17, at 00:54 , Robert Watson wrote: > FWIW, I have some work in progress on the capability front, but it's > a highly complex issue that will take years to work through > properly. Unfortunately, the real issue isn't so much the OS > primitives as building up a non-trivial application base that uses > them. Providing primitives to subdivie applications isn't easy, but > once you've done that you still have to rewrite lots of applications > to take advantage of it, and in a way that shows a lot more > application programmer discipline. It's not clear to me that the > pressure is there to make feature-driven application development for > major desktop applications adopt techniques of this sort. Realistically, this will never happen. It would require *every*one agreeing on a single consistent API, and that just won't happen with any sort of policy-based mechanism. It's sad people don't pay more attention to Plan 9. Namespaces go a long way towards solving this problem in a manner that's completely transparent to the application, and trivial for the end-user to configure and use. See: http://plan9.bell-labs.com/sys/doc/names.html http://plan9.bell-labs.com/magic/man2html/1/0intro http://plan9.bell-labs.com/magic/man2html/4/namespace In a nutshell, your view of the 'filesystem' is fully mutable. A simple 'rfork n' in the shell will instantiate a brand new instance of the namespace, which you can then fiddle to your heart's content. E.g. rfork n bind /usr/ftp / creates a namespace where /usr/ftp (by convention the anonymous FTP directory) is now the "root" directory of the process' filesystem. Analogous system calls exist for programmatic use. And since there is no concept of (or need for) a 'superuser' these facilities are available to everyone. This makes sandboxing trivial for any number of remotely accessible network services as well as to the interactive system user. Both files and directories can be bind targets, and the source of the bind can as easily be a program as a file or directory; the ability to create secure synthetic filesystems just naturally falls out of this paradigm. And the applications are blissfully unaware that any of this even exists. --lyndon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?05661513-E0DA-4B33-BD4E-FCF73943F332>