Rainbow/Current Situation: Difference between revisions

From OLPC
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
Line 3: Line 3:
'''Design'''
'''Design'''


Rainbow has been implemented according to [[Rainbow/Historical Designs|three designs]] to date. The present design, implemented in the "rainbow-0.8.*" series, works like this:
Rainbow has been implemented according to [[Rainbow/Historical Designs|three designs]] to date.


rainbow-0.8.* isolates [http://en.wikipedia.org/wiki/Process_(computing) processes] by confining them to accounts with access control [http://linux.die.net/man/7/credentials credentials] which limit the confined programs' ability to commit side-effects like [http://www.tldp.org/LDP/khg/HyperNews/get/fs/vfstour.html filesystem I/O].
The present design, implemented in the "rainbow-0.8.*" series, works to isolate [http://en.wikipedia.org/wiki/Process_(computing) processes] by confining them to accounts with access control [http://linux.die.net/man/7/credentials credentials] which limit the confined programs' ability to commit side-effects like [http://www.tldp.org/LDP/khg/HyperNews/get/fs/vfstour.html filesystem I/O].


rainbow-0.8.* consists of:
Structurally, the design consists of:


# a "UI" layer, containing:
# a "UI" layer, containing:

Revision as of 21:36, 12 June 2009

Rainbow :: git :: sources :: rainbow-0.8.6.tar.bz2 :: announcement


Design

Rainbow has been implemented according to three designs to date.

The present design, implemented in the "rainbow-0.8.*" series, works to isolate processes by confining them to accounts with access control credentials which limit the confined programs' ability to commit side-effects like filesystem I/O.

Structurally, the design consists of:

  1. a "UI" layer, containing:
  2. an injection library, which contains Rainbow's isolation logic
  3. an NSS module.

These components have the following responsibilities:

  1. The UI is responsible for figuring out what to do and for handing that information to a separate injection library.
  2. The injection is responsible for:
    • acting on isolation requests by manipulating persistent state held in a filesystem spool,
    • dropping privilege, and
    • handing control to the program being isolated.
  3. Finally, the rainbow NSS module lets other programs read the rainbow spool through the usual POSIX APIs for reading system databases.

This structure was chosen to so that rainbow can be used from freedesktop.org .desktop launcher files, from the command-line, and from custom graphical shells like Sugar with equal ease and so that changes to rainbow can operate without munging important system files like /etc/passwd and /etc/group.

Implementation Notes

  1. "Owners" are the accounts on behalf of which we are isolating a program. They need access to data produced by that program and to space ("topic dirs" and "data groups") through which to share information with it.
  2. Some times, people will want to re-use a container. Other times, they'll want a fresh one. Containers, being accounts, are identified by uid.
  3. State is maintained in a simple filesystem-embedded microformat.
    • Reservations are recorded in foo_pool
    • Maps are named foo_to_bar
    • Key-value pairs are entries are symlinks from key->value.
    • SQLite would probably have worked just as well, except that its algorithms are not lock-free.
  4. We provide isolation by generating low-privilege accounts through the NSS module, then by calling things like
    • chown()
    • chmod()
    • setrlimit()
    • setgroups()
    • setgid()
    • setuid()
  5. Task-specific "assistant" program like rainbow-xify or rainbow-sugarize provide isolated software with access to task-specific shared resources like:
    • D-Bus sockets,
    • D-Bus cookies,
    • X sockets,
    • X cookies, and
    • temporary filesystems
  6. Mounting filesystems needs to be done as root and is presently done in a new filesystem namespace (see CLONE_NEWNS) in order to reduce resource leakage.

Idioms

See User:Mstone/Tricks for more detail.