Rainbow: Difference between revisions

From OLPC
Jump to navigation Jump to search
mNo edit summary
Line 29: Line 29:


The basic design principles of the present 0.7-series incarnation of rainbow were presented in [http://dev.laptop.org/git?p=security;a=blob;f=rainbow.txt;hb=HEAD rainbow.txt]. The implementation of rainbow can be found alongside that file in the "rainbow/rainbow" subdirectory of [http://dev.laptop.org/git/security security git repo] and in its several forks. Finally, a somewhat dated [[Taste the Rainbow|guided tour]] of the source code is available.
The basic design principles of the present 0.7-series incarnation of rainbow were presented in [http://dev.laptop.org/git?p=security;a=blob;f=rainbow.txt;hb=HEAD rainbow.txt]. The implementation of rainbow can be found alongside that file in the "rainbow/rainbow" subdirectory of [http://dev.laptop.org/git/security security git repo] and in its several forks. Finally, a somewhat dated [[Taste the Rainbow|guided tour]] of the source code is available.

== Testing ==

=== Automated ===

See [http://dev.laptop.org/git/users/mstone/test-rainbow test-rainbow]. This code sets up a mock chroot in which rainbow can be tested, then runs a small multi-user test script.

=== Fedora ===

# on rawhide:
yum install rainbow
...

=== Ubuntu ===

[https://launchpad.net/~codewiz/+archive/ppa Bernie's PPA] contains some basic rainbow packages which you can install.

=== jhbuild ===

# TBD; talk to Sascha Silbe for help.


== Next Steps ==
== Next Steps ==
Line 65: Line 85:
* [http://lists.laptop.org/pipermail/security/2008-January/000370.html "Why not SELinux?"]
* [http://lists.laptop.org/pipermail/security/2008-January/000370.html "Why not SELinux?"]
* [http://lists.laptop.org/pipermail/sugar/2007-November/003725.html "Bitfrost Compliance for Update.1" announcement mail]
* [http://lists.laptop.org/pipermail/sugar/2007-November/003725.html "Bitfrost Compliance for Update.1" announcement mail]

* {{Ticket|2732}}, {{Ticket|2906}}, {{Ticket|4184}} - influential tickets in the history of rainbow
* {{Ticket|2732}}, {{Ticket|2906}}, {{Ticket|4184}} - influential tickets in the history of rainbow



Revision as of 17:10, 24 February 2009

  This page is monitored by the OLPC team.
  english | español HowTo [ID# 196344]  +/-  

Translate this page with Google -español -български -中文(中国大陆) -中文(臺灣) -hrvatski -čeština -dansk -Nederlands -suomi -français -Deutsch -Ελληνικά -हिन्दी -italiano -日本語 -한국어 -norsk -polski -português -română -русский -svenska


Introduction

Rainbow implements the isolation shell implicitly described in the Bitfrost security specification. This means that it isolates activities (and eventually system services) that it is asked to run from one another and the rest of the system.

Rainbow implements this isolation by generating a new uid (and perhaps a new gid) for each program it is asked to run. Running each activity as a separate user means that standard Unix access checks can be used as the primary 'gate' to control the visibility of activity-driven side-effects like reading from or writing to files or devices or signalling other processes.

For Activity Developers

When the user asks Sugar to start your activity, Rainbow is the software which actually asks the Linux kernel to do the 'starting'. However, in order to achieve the security goals described in Bitfrost, it places some restrictions on your software. You can find out more about these restrictions in the low-level activity api documentation. (In the future, the Sugar almanac may also contain some similar information).

Disabling Rainbow for Testing

Rainbow can be trivially disabled by running

rm /etc/olpc-security

as root. It can be re-enabled by running

touch /etc/olpc-security

also as root.


Design and Implementation

The basic design principles of the present 0.7-series incarnation of rainbow were presented in rainbow.txt. The implementation of rainbow can be found alongside that file in the "rainbow/rainbow" subdirectory of security git repo and in its several forks. Finally, a somewhat dated guided tour of the source code is available.

Testing

Automated

See test-rainbow. This code sets up a mock chroot in which rainbow can be tested, then runs a small multi-user test script.

Fedora

 # on rawhide:
 yum install rainbow
 ...

Ubuntu

Bernie's PPA contains some basic rainbow packages which you can install.

jhbuild

 # TBD; talk to Sascha Silbe for help.

Next Steps

Accessibility to Developers
Debian packaging + cli interface + pristine-root + automated testing
code: see the 'integration' branches of rainbow and nss-rainbow and the 'master' branch of test-rainbow
P_NETWORK
See Isolation LSM, http://lkml.org/lkml/2009/1/7/18, and http://lkml.org/lkml/2009/1/7/613.
P_DOCUMENT*
See Olpcfs and Journal reloaded, other thoughts welcome.
P_X
-- we'll start by trying out XSECURITY (i.e. by making activities untrusted clients) and see where that leaves us. Then on to XACE as per previous discussion
-- unfortunately, it seems (c.f. ssh man page) that most apps break when you treat them as untrusted clients. Hmm.

Demo Ideas

  • (paraphrase): "The insight behind Rainbow is that the problem of isolating an operator from his/her programs is similar to the problem of isolating users of a shared server from one another and from root." -- C. Scott Ananian
  • "I see the cool parts [of Rainbow] as (1) per-instance isolation, (2) isolation without virtualization, and (3) isolation using the uid mechanisms. All three are unique and impressive." -- Ben Schwartz
(NB: Actually, lots of other people have played with these ideas. plash is a compelling example.)

Ideas:

  • Give people an isolated Terminal to play in.
  • Show off rlimits with a fork-bomb.
  • Show off filesystem protections -- rm -rf, restriction of readable dirs, etc.

Items of Historical Interest