Rainbow: Difference between revisions

From OLPC
Jump to navigation Jump to search
mNo edit summary
m (Reverted edits by 77.64.72.243 (Talk) to last revision by FGrose)
 
(113 intermediate revisions by 9 users not shown)
Line 1: Line 1:
{{OLPC}}
{{developers}}
{{translations}}
{{translations}}
<noinclude>{{Google Translations}}
== Introduction ==
[[Category:Security]]
</noinclude>{{Rainbow page}}


Rainbow implements the isolation shell implicitly described in the [[OLPC Bitfrost|Bitfrost]] security specification. This means that it isolates activities (and eventually system services) that it is asked to run from one another and the rest of the system.
The [[OLPC Bitfrost|Bitfrost]] security specification argues that existing desktop security conventions do not meet the security needs:
* of adventurous kids in 1-1 computing programs,
* of the technical staff who help maintain such initiatives, and
* of the political constituencies which determine where such programs take place.
The most serious inadequacy of such systems is that they force end-users to take unnecessary security risks (for example, giving all programs a user runs access to the network, to auto-start facilities, and to other programs' data files) while simultaneously denying users the opportunity to do things which can be done safely but which were not anticipated by the system administrator (notably, installing new software or modifying the local system.)


Consequently, [[Security credits#Activity Isolation|we]] wrote [http://dev.laptop.org/git/users/mstone/security/tree/rainbow Rainbow].
Rainbow implements this isolation by generating a new uid (and perhaps a new gid) for each program it is asked to run. Running each activity as a separate user means that standard Unix access checks can be used as the primary 'gate' to control the visibility of activity-driven side-effects like reading from or writing to files or devices or signalling other processes.


Rainbow is an isolation shell. This means two things:
== For Activity Developers ==


# ''shell'': Rainbow runs programs on behalf of humans and programs. Rainbow provides those programs with a suitable environment: places in which temporary and persistent data can be stored, environment variables to identify those places, etc.
When the user asks Sugar to start your activity, Rainbow is the software which actually asks the Linux kernel to do the 'starting'. However, in order to achieve the security goals described in Bitfrost, it places some restrictions on your software. You can find out more about these restrictions in both the [[Low-level Activity API]] and the [[Sugar almanac]].
# ''isolation'': People and programs should use Rainbow when they want to isolate programs from other programs and important system resources. "Isolation" is already a familiar concept to most UNIX programmers: many system daemons already operate using their own unique UID and/or GID, and most have private places in which they store their configuration. Rainbow generalizes and extends this paradigm by providing every program it runs with a unique identity, with private storage, with pre-configured resource usage limits, etc.


At the moment, Rainbow only knows how to provide the same primitive form of filesystem and signal isolation that competent sysadmins provide to users of multi-user Unix shell servers.
== Design and Implementation ==


However, '''[[Security#Contributions|contributions]]''' are welcome, particularly contributions which advance [[Rainbow/Next Steps|existing plans]].
The basic design principles of the present 0.7-series incarnation of rainbow were presented in [http://dev.laptop.org/git?p=security;a=blob;f=rainbow.txt;hb=HEAD rainbow.txt]. The implementation of rainbow can be found alongside that file in the "rainbow/rainbow" subdirectory of [http://dev.laptop.org/git/security security git repo] and in its several forks. Finally, a somewhat dated [[Taste the Rainbow|guided tour]] of the source code is available.


'''Information about rainbow-0.8.*'''
== Next Steps ==


* [[Rainbow/Current Situation|current situation]]: feature, design, and implementation notes for rainbow-0.8.*
* P_NETWORK -- [[Isolation LSM]]
* [[Rainbow/Installation Instructions|installation instructions]] for rainbow-0.8.*
* cli interface: [http://dev.laptop.org/git?p=users/mstone/security;hb=cli;a=log rainbow-cli]
* [[Rainbow/Testing|testing]] instructions for rainbow-0.8.*
* pristine root patches -- [http://dev.laptop.org/git/users/mstone/nss-rainbow nss-rainbow]
* [[Rainbow/Next Steps|next steps!]]
* P_DOCUMENT -- [[Olpcfs]]
* [[Rainbow/Demo Ideas|demo ideas]]
* P_X -- we'll start by trying out XSECURITY (i.e. by making activities untrusted clients) and see where that leaves us. Then on to XACE as per [http://lists.laptop.org/pipermail/security/2008-April/000390.html previous discussion]


'''Other Information'''
== Items of Historical Interest ==


* notes for [[Rainbow/Information for Activity Developers|Activity Developers]], for Sugar 0.82 and rainbow-0.7.*
* [http://dev.laptop.org/git?p=security;a=blob;f=rainbow/README;hb=HEAD README] - A description of the original scope and design of Rainbow.
* [[Rainbow/Historical Designs|historical design comparisons]], for rainbow-0.6.*, -0.7.*, and -0.8.*
* [http://dev.laptop.org/git?p=security;a=blob;f=rainbow/NOTES;hb=HEAD Notes] - Notes on design and hurdles in developing Rainbow.
* [[Rainbow/Curiosities|curiosities]]
* [[Rainbow/DataStore Access]] - thoughts on datastore access mechanisms, superseded by [[Olpcfs]].
==Subpages==
* [http://lists.laptop.org/pipermail/security/2008-January/000370.html "Why not SELinux?"]
(Titles in ''italics'' redirect to another page.){{Special:PrefixIndex/{{PAGENAME}}/}}
* [http://lists.laptop.org/pipermail/sugar/2007-November/003725.html "Bitfrost Compliance for Update.1" announcement mail]

* {{Ticket|2732}}, {{Ticket|2906}}, {{Ticket|4184}} - influential tickets in the history of rainbow

[[Category:Software]]
[[Category:Security]]

Latest revision as of 21:00, 26 November 2011

  english | español HowTo [ID# 263143]  +/-  

Rainbow :: git :: sources :: rainbow-0.8.6.tar.bz2 :: announcement


The Bitfrost security specification argues that existing desktop security conventions do not meet the security needs:

  • of adventurous kids in 1-1 computing programs,
  • of the technical staff who help maintain such initiatives, and
  • of the political constituencies which determine where such programs take place.

The most serious inadequacy of such systems is that they force end-users to take unnecessary security risks (for example, giving all programs a user runs access to the network, to auto-start facilities, and to other programs' data files) while simultaneously denying users the opportunity to do things which can be done safely but which were not anticipated by the system administrator (notably, installing new software or modifying the local system.)

Consequently, we wrote Rainbow.

Rainbow is an isolation shell. This means two things:

  1. shell: Rainbow runs programs on behalf of humans and programs. Rainbow provides those programs with a suitable environment: places in which temporary and persistent data can be stored, environment variables to identify those places, etc.
  2. isolation: People and programs should use Rainbow when they want to isolate programs from other programs and important system resources. "Isolation" is already a familiar concept to most UNIX programmers: many system daemons already operate using their own unique UID and/or GID, and most have private places in which they store their configuration. Rainbow generalizes and extends this paradigm by providing every program it runs with a unique identity, with private storage, with pre-configured resource usage limits, etc.

At the moment, Rainbow only knows how to provide the same primitive form of filesystem and signal isolation that competent sysadmins provide to users of multi-user Unix shell servers.

However, contributions are welcome, particularly contributions which advance existing plans.

Information about rainbow-0.8.*

Other Information

Subpages

(Titles in italics redirect to another page.)