Rainbow/Current Situation

From OLPC
Jump to: navigation, search

Rainbow :: git :: sources :: rainbow-0.8.6.tar.bz2 :: announcement


Features

The main features implemented by the current design are:

  • process isolation
  • filesystem isolation
  • optional primitive video/audio hardware isolation
  • optional experimental X11 isolation

Design

Rainbow has been implemented according to three designs to date.

The present design, implemented in the "rainbow-0.8.*" series, works to isolate processes by confining them to accounts with access control credentials which limit the confined programs' ability to commit side-effects like filesystem I/O.

Structurally, the design consists of:

  1. a "UI" layer, containing:
  2. an injection library, which contains Rainbow's isolation logic
  3. an NSS module.

These components have the following responsibilities:

  1. The UI is responsible for figuring out what to do and for handing that information to a separate injection library.
  2. The injection is responsible for:
    • acting on isolation requests by manipulating persistent state held in a filesystem spool,
    • dropping privilege, and
    • handing control to the program being isolated.
  3. Finally, the rainbow NSS module lets other programs read the rainbow spool through the usual POSIX APIs for reading system databases.

This structure was chosen to so that rainbow can be used from freedesktop.org .desktop launcher files, from the command-line, and from custom graphical shells like Sugar with equal ease and so that changes to rainbow can operate without munging important system files like /etc/passwd and /etc/group.

Implementation

Here are some key ideas underlying the current implementation:

  1. "Owners" are the accounts on behalf of which we are isolating a program. They need access to data produced by that program and to space ("topic dirs" and "data groups") through which to share information with it.
  2. Some times, people will want to re-use a container. Other times, they'll want a fresh one. Containers, being accounts, are identified by uid.
  3. Control flow is linear within controlling functions like main() and inject().
    • Exceptions are used to terminate control flow and to record information about the program's situation when it terminates.
    • Input validation is performed by functions named check_foo()
  4. State is maintained in a simple filesystem-embedded microformat.
    • Reservations are recorded in foo_pool
    • Maps are named foo_to_bar
    • Key-value pairs are entries are symlinks from key->value.
    • SQLite would probably have worked just as well, except that its algorithms are not lock-free.
  5. We provide isolation by generating low-privilege accounts through the NSS module, then by calling things like
    • chown()
    • chmod()
    • setrlimit()
    • setgroups()
    • setgid()
    • setuid()
  6. Task-specific "assistant" program like rainbow-xify or rainbow-sugarize provide isolated software with access to task-specific shared resources like:
    • D-Bus sockets,
    • D-Bus cookies,
    • X sockets,
    • X cookies, and
    • temporary filesystems
  7. Mounting filesystems needs to be done as root and is presently done in a new filesystem namespace (see CLONE_NEWNS) in order to reduce resource leakage.

Other Notes

See User:Mstone/Tricks for more detail on some of the idioms used rainbow.