Rainbow/Current Situation: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 5: | Line 5: | ||
Rainbow has been implemented according to [[Rainbow/Historical Designs|three designs]] to date. The present design, implemented in the "rainbow-0.8.*" series, works like this: |
Rainbow has been implemented according to [[Rainbow/Historical Designs|three designs]] to date. The present design, implemented in the "rainbow-0.8.*" series, works like this: |
||
rainbow-0.8.* isolates |
rainbow-0.8.* isolates [http://en.wikipedia.org/wiki/Process_(computing) processes] by confining them to accounts with access control [http://linux.die.net/man/7/credentials credentials] which limit the confined programs' ability to commit side-effects like [http://www.tldp.org/LDP/khg/HyperNews/get/fs/vfstour.html filesystem I/O]. |
||
rainbow-0.8.* consists of: |
rainbow-0.8.* consists of: |
Revision as of 21:26, 12 June 2009
Rainbow :: git :: sources :: rainbow-0.8.6.tar.bz2 :: announcement
Design
Rainbow has been implemented according to three designs to date. The present design, implemented in the "rainbow-0.8.*" series, works like this:
rainbow-0.8.* isolates processes by confining them to accounts with access control credentials which limit the confined programs' ability to commit side-effects like filesystem I/O.
rainbow-0.8.* consists of:
- a "UI" layer, containing:
- the rainbow-run "exec-wrapper" and
- some higher-level tools based on that program such as the rainbow-easy convenience wrapper.
- an injection library, which contains Rainbow's isolation logic
- an NSS module.
These components have the following responsibilities:
- The UI is responsible for figuring out what to do and for handing that information to a separate injection library.
- The injection is responsible for:
- acting on isolation requests by manipulating persistent state held in a filesystem spool,
- dropping privilege, and
- handing control to the program being isolated.
- Finally, the rainbow NSS module lets other programs read the rainbow spool through the usual POSIX APIs for reading system databases.
This structure was chosen to so that rainbow can be used from freedesktop.org .desktop launcher files, from the command-line, and from custom graphical shells like Sugar with equal ease and so that changes to rainbow can operate without munging important system files like /etc/passwd and /etc/group.
Implementation Notes
- State is maintained in a simple filesystem-embedded microformat.
- Reservations are recorded in foo_pool
- Maps are named foo_to_bar
- Key-value pairs are entries are symlinks from key to value.
- SQLite would have worked just as well.
- We provide isolation by generating low-privilege accounts through the NSS module, then by calling things like
- setrlimit()
- setgroups()
- setgid()
- setuid()
- Task-specific "assistant" program like rainbow-xify or rainbow-sugarize provide isolated software with access to task-specific shared resources like:
- D-Bus sockets,
- D-Bus cookies,
- X sockets,
- X cookies, and
- temporary filesystems
- Mounting filesystems needs to be done as root and is presently done in a new filesystem namespace (see CLONE_NEWNS) in order to reduce resource leakage.
Idioms
See User:Mstone/Tricks for more detail.