Rainbow/Current Situation
Rainbow :: git :: sources :: rainbow-0.8.6.tar.bz2 :: announcement
Design
Rainbow has been implemented according to three designs to date. The present design, implemented in the "rainbow-0.8.*" series, works like this:
rainbow-0.8.* isolates programs (processes) by confining them to accounts with access control credentials which limit the confined programs' ability to commit side-effects like filesystem I/O.
In particular, rainbow-0.8.* provides isolation by means of traditional Unix permissions. It creates the accounts used for this task by means of an NSS module which modifies the appropriate system databases.
Implementation
rainbow-0.8.* is used via the rainbow-run "exec-wrapper" or some higher-level tool based on that program such as the rainbow-easy convenience wrapper. Either way, the rainbow-run wrapper eventually receives control from a higher-level shell, performs any requested isolation steps, and hands control over to isolated program. This way, rainbow can be used from freedesktop.org .desktop launcher files, from the command-line, and from custom graphical shells like Sugar with equal ease.
Notes
- State is maintained in a simple filesystem-embedded microformat.
- Reservations are recorded in foo_pool
- Maps are named foo_to_bar
- Key-value pairs are entries are symlinks from key to value.
- SQLite would have worked just as well.
- We provide isolation by generating low-privilege accounts through the NSS module, then by calling things like
- setrlimit()
- setgroups()
- setgid()
- setuid()
- Task-specific "assistant" program like rainbow-xify or rainbow-sugarize provide isolated software with access to task-specific shared resources like:
- D-Bus sockets,
- D-Bus cookies,
- X sockets,
- X cookies, and
- temporary filesystems
- Mounting filesystems needs to be done as root and is presently done in a new filesystem namespace (see CLONE_NEWNS) in order to reduce resource leakage.
Idioms
See User:Mstone/Tricks for more detail.
