Rainbow: Difference between revisions

From OLPC
Jump to navigation Jump to search
Line 51: Line 51:
In particular, rainbow-0.8.* provides isolation by means of [http://en.wikipedia.org/wiki/File_system_permissions traditional Unix permissions]. It creates the accounts used for this task by means of an [http://www.gnu.org/s/libc/manual/html_node/Name-Service-Switch.html NSS] [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/nss/nss-rainbow.c module] which modifies the appropriate [http://www.gnu.org/s/libc/manual/html_node/Users-and-Groups.html system databases].
In particular, rainbow-0.8.* provides isolation by means of [http://en.wikipedia.org/wiki/File_system_permissions traditional Unix permissions]. It creates the accounts used for this task by means of an [http://www.gnu.org/s/libc/manual/html_node/Name-Service-Switch.html NSS] [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/nss/nss-rainbow.c module] which modifies the appropriate [http://www.gnu.org/s/libc/manual/html_node/Users-and-Groups.html system databases].


rainbow-0.8.* is used via the [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-run rainbow-run] [http://en.wikipedia.org/wiki/Chain_loading "exec-wrapper"] or some higher-level tool based on that program such as the [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-easy rainbow-easy] convenience wrapper. Either way, the <tt>rainbow-run</tt> wrapper eventually receives control from a higher-level shell, [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/inject.py performs any requested isolation steps], and hands control over to isolated program. This way, rainbow can be used from [http://freedesktop.org freedesktop.org] [http://standards.freedesktop.org/desktop-entry-spec/latest/ .desktop] launcher files, from the command-line, and from custom graphical shells like [[Sugar]] with equal ease.
rainbow-0.8.* is used via the [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-run rainbow-run] [http://en.wikipedia.org/wiki/Chain_loading "exec-wrapper"] or some higher-level tool based on that program such as the [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-easy rainbow-easy] convenience wrapper. Either way, the <tt>rainbow-run</tt> wrapper eventually receives control from a higher-level shell, performs any requested [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/inject.py isolation steps], and hands control over to isolated program. This way, rainbow can be used from [http://freedesktop.org freedesktop.org] [http://standards.freedesktop.org/desktop-entry-spec/latest/ .desktop] launcher files, from the command-line, and from custom graphical shells like [[Sugar]] with equal ease.


== Installation ==
== Installation ==

Revision as of 19:33, 12 June 2009

  english | español HowTo [ID# 210011]  +/-  

Translate this page with Google -español -български -中文(中国大陆) -中文(臺灣) -hrvatski -čeština -dansk -Nederlands -suomi -français -Deutsch -Ελληνικά -हिन्दी -italiano -日本語 -한국어 -norsk -polski -português -română -русский -svenska


Introduction

git :: sources :: rainbow-0.8.4.tar.bz2 :: announcement

The Bitfrost security specification argues that existing desktop security conventions do not meet the security needs of adventurous kids in 1-1 computing programs, of the technical staff who help maintain such initiatives, and of the political constituencies which determine where such programs take place. The most serious inadequacy of such systems is that they force end-users to take unnecessary security risks (for example, giving all programs a user runs access to the network, to auto-start facilities, and to other programs' data files) while simultaneously denying users the opportunity to do things which can be done safely but which were not anticipated by the system administrator (notably, installing new software or modifying the local system.) Consequently, we wrote Rainbow.

Rainbow is an isolation shell. This means two things:

  1. shell: Rainbow runs programs on behalf of humans and programs. Rainbow provides those programs with a suitable environment: places in which temporary and persistent data can be stored, environment variables to identify those places, etc.
  2. isolation: People and programs should use Rainbow when they want to isolate programs from other programs and important system resources. "Isolation" is already a familiar concept to most UNIX programmers: many system daemons already operate using their own unique UID and/or GID, and most have private places in which they store their configuration. Rainbow generalizes and extends this paradigm by providing every program it runs with a unique identity, with private storage, with pre-configured resource usage limits, etc.

At the moment, Rainbow only knows how to provide the same primitive form of filesystem and signal isolation that competent sysadmins provide to users of multi-user Unix shell servers.

However, contributions are welcome, particularly contributions which advance existing plans.

For Activity Developers

Though Rainbow is general-purpose software, it is most frequently encountered in the context of Sugar in that when a human asks Sugar to start an activity, Rainbow is usually the software which actually asks the Linux kernel to do the 'starting'. You can find out more about the restrictions Rainbow places on software that it runs in this context in the low-level activity api documentation, in the Sugar almanac, or below.

Filesystem Isolation

Suppose program A (e.g. sugar) uses rainbow-0.7.x to isolate program B (e.g. your activity).

  1. Rainbow's isolation means that program A's $HOME and program B's $HOME will be different directories and that, in general, program B will have no authority write (or perhaps, to read) files contained in program A's $HOME.
  2. Programs isolated by early versions of rainbow-0.7.x are only permitted to write to three subdirectories of their $HOME directories. You can read the low-level activity api for the gory details; the summary is that if your software needs to be portable over XO software releases 7.1-8.2 (e.g. builds 650, 656, 703, 767), then you are only guaranteed the ability to write to $SUGAR_ACTIVITY_ROOT/{data,tmp,instance}. Note: "$SUGAR_ACTIVITY_ROOT" is commonly abbreviated as "$SAR" in conversations and in this text.
  3. Rainbow-0.7.x guarantees that only $SAR/data will be available the next time your activity is launched. The other two directories will be wiped clean at various convenient times in the future.
  4. Persistent data saved in $SAR/data MUST be group-readable and writable so that new instances of your activity can continue to manipulate it. Rainbow tries to make this easy for you by setting umask(000) but there are some libraries (particularly those provided by Mozilla) which hard-code the use of inappropriate file modes.

Disabling Rainbow for Testing

Sugar's use of Rainbow can be trivially disabled by running

rm /etc/olpc-security

as root. It can be re-enabled by running

touch /etc/olpc-security

also as root.

Customizing Isolation

The Activity bundles' activity/permissions.info documentation offer some hints on how activities may currently customize the isolation provided by rainbow.

Design

Rainbow has been implemented according to three designs to date. The present design, implemented in the "rainbow-0.8.*" series, works like this:

rainbow-0.8.* isolates programs (processes) by confining them to accounts with access control credentials which limit the confined programs' ability to commit side-effects like filesystem I/O.

In particular, rainbow-0.8.* provides isolation by means of traditional Unix permissions. It creates the accounts used for this task by means of an NSS module which modifies the appropriate system databases.

rainbow-0.8.* is used via the rainbow-run "exec-wrapper" or some higher-level tool based on that program such as the rainbow-easy convenience wrapper. Either way, the rainbow-run wrapper eventually receives control from a higher-level shell, performs any requested isolation steps, and hands control over to isolated program. This way, rainbow can be used from freedesktop.org .desktop launcher files, from the command-line, and from custom graphical shells like Sugar with equal ease.

Installation

Last updated: Michael Stone 21:07, 9 March 2009 (UTC)

The basic idea is to install rainbow, either

from source:

RAINBOW=rainbow-0.8.4
wget http://dev.laptop.org/~mstone/releases/SOURCES/$RAINBOW.tar.bz2
tar xf $RAINBOW.tar.bz2 && cd $RAINBOW
make build
sudo make install

from a distro package:

  • Fedora >= 10: yum install rainbow
  • Ubuntu: Bernie's PPA contains some basic rainbow packages which you can install.
  • Other: Install rainbow from source or help others by packaging it for your distro!

from a unified builder or image:

like sugar-jhbuild or Sugar on a Stick (SoaS). (nb: future work)

setup:

In order for rainbow to function, you need to inject its users and groups into the system by running:

sudo /bin/sed -i -e s/^passwd:/passwd:\ rainbow/ /etc/nsswitch.conf
sudo /bin/sed -i -e s/^group:/group:\ rainbow/ /etc/nsswitch.conf

To use the current "rainbow-easy" helper, you need to have an "audio" group on your system:

sudo groupadd -f audio

To use Rainbow with Sugar Activities, you need to add the following line to /etc/dbus-1/session.conf inside the <policy context="default"> section:

   <allow user="*"/>

This will allow other uids besides yours to access the session bus. This might allow people on the same machine to control your applications and access your data, so only make this change if you're fine with that (e.g. no one else or only trusted ones using your computer). (We hope to improve on this situation in the future.)

Congratulations. You are now ready to test rainbow.

Testing

Rainbow is easy to test in chroots, for example, those created by mock. See test-rainbow and, in particular,this small multi-user test script.

To test it on a regular system, you might install it, then run something like:

 sudo rainbow-easy gaming /bin/bash
 sudo rainbow-easy banking /usr/bin/firefox -no-remote
 sudo rainbow-easy av /usr/bin/mplayer ~/some/movie

These examples will drop you into an isolated bash session, firefox session, or mplayer session in which you can play.

NB: If you want to isolate more complicated software, then you're going to use the low-level rainbow-run interface used by rainbow-easy. Here are some examples to help you get started:

 Launch mplayer with a fresh nested Xephyr X server. 
 sudo rainbow-run -v -v -v -s /var/spool/rainbow/2 -u $USER -c "`pwd`" -f 0 -f 1 -f 2 -E "DISPLAY=:0" -o audio -a /usr/bin/rainbow-xify -o xephyr -- /usr/bin/mplayer ~/some/movie
 Launch bash in a previously generated container.
 sudo rainbow-run -v -v -v -s /var/spool/rainbow/2 -u $USER -f 0 -f 1 -f 2 -i secrets -r 10000 -- /bin/bash
 

Obviously, please contribute more automated tests, helpers, and bug reports!

Next Steps

Last updated: Michael Stone 21:59, 16 May 2009 (UTC)

Job control features
There are a couple of small impedance mismatches that will need to be overcome; e.g. sugar needs a way to kill an activity, a way to garbage-collect dead jails.
D-Bus changes for sugar activities
We need to find a way to make dbus session buses happy accepting connections from per-bus groups of users.
The current plan is to implement a "group_pattern" authorization attribute and to have libnss_rainbow synthesize the appropriate group memberships. We'll start with positive and negative automated tests.
Ben Schwartz points out that this functionality could also be hacked together with the regular allow-group authorization element if only dbus session buses sourced per-user configuration.
sugar-jhbuild integration
Sugar folks have asked for jhbuild integration to ease testing. Maybe some kind soul will donate it?
P_NETWORK
We'd like to have the option to restrict a program's access to the network. James Morris suggests that we check out unshare(CLONE_NEWNET).
See Isolation LSM, http://lkml.org/lkml/2009/1/7/18, and http://lkml.org/lkml/2009/1/7/613 for some other approaches.
P_DOCUMENT*
Requested by Gary C. Martin. To implement this, we need to put some authorization gates in the datastore, then somehow record which data should be accessible to which activities. (Or maybe we could do it all with ACLs?)
See Olpcfs, Journal reloaded, Olpcfs2, and Journal and Overlays for some other approaches.
P_X
http://dev.laptop.org/git/users/mstone/security/log/?h=xephyr contains very rough patches which cause rainbow to generate Xephyrs in which to isolate some of its clients' X abuse.
-- NB: Recent versions of Xephyr (>=1.5.99) are required for OpenGL clients.
-- Also, Firefox doesn't yet like Xephyr. Help debugging would be greatly appreciated.
Future work: try out XSECURITY on the main xserver (i.e. by making activities untrusted clients) and see where that leaves us. Then on to XACE as per previous discussion
-- unfortunately, it seems (c.f. ssh man page) that most apps break when you treat them as untrusted clients. Hmm.

Demo Ideas

  • (paraphrase): "The insight behind Rainbow is that the problem of isolating an operator from his/her programs is similar to the problem of isolating users of a shared server from one another and from root." -- C. Scott Ananian
  • "I see the cool parts [of Rainbow] as (1) per-instance isolation, (2) isolation without virtualization, and (3) isolation using the uid mechanisms. All three are unique and impressive." -- Ben Schwartz
(NB: Actually, lots of other people have played with these ideas. plash is a compelling example.)

Ideas:

  • Give people an isolated Terminal to play in.
  • Show off rlimits with a fork-bomb.
  • Show off filesystem protections -- rm -rf, restriction of readable dirs, etc.

Items of Historical Interest