Taste the Rainbow:0.7.0: Difference between revisions

From OLPC
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
This page is a guided tour of the [http://dev.laptop.org/git?p=users/mstone/security;a=commit;h=b6a2a0c96f522956a69871c6d839bc67d2f78424 source code] of the [[Rainbow|rainbow-0.7.0]] release.
This page is a guided tour of the [http://dev.laptop.org/git?p=users/mstone/security;a=commit;h=b6a2a0c96f522956a69871c6d839bc67d2f78424 source code] of the [[Rainbow|rainbow-0.7.0]] release.


== Overview ==
== Source Code Overview ==


please start at http://dev.laptop.org/git?p=users/mstone/security;a=tree;f=rainbow;h=b76a41fcc968b22196b14fa868e50db0f4b1b9bc;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424
please start at http://dev.laptop.org/git?p=users/mstone/security;a=tree;f=rainbow;h=b76a41fcc968b22196b14fa868e50db0f4b1b9bc;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424


a recent design sketch is available at [http://dev.laptop.org/git?p=security;a=blob;f=rainbow.txt;hb=HEAD rainbow.txt]


rainbow
The two interesting directories here are docs and rainbow.
|--- conf : installation-time configuration files
| \--- session-olpc.conf : applies some unusual dbus rules to allow many uids
| to use the same session bus and enables OLPC-specific
| dbus access checks. When /etc/olpc-security exists,
| session-olpc.conf is loaded by [http://dev.laptop.org/git?p=sugar;a=blob;f=bin/sugar.in;h=140c56ef7306e04e8c71ac4c89dab286d01199e1;hb=bde0e167a32eab3e697d5aeb7fffcd0b1be5b1b0 /usr/bin/sugar]
|
|--- docs : explanations & notes
| |--- README
| \--- DESIGN
| *--- [http://dev.laptop.org/git?p=security;a=blob;f=rainbow.txt;hb=HEAD rainbow.txt]
|
|--- rainbow : source code
| |--- util
| |--- stages
| |--- targets
| \--- service.py
|
|--- rainbow.spec.in : spec-file template for building RPMS
\--- Makefile.package : package-specific variables for use in ../Makefile.fedora
*--- ../Makefile.fedora : rules for making local snapshot builds and
internal releases, prior to pushing to Fedora


The interesting file is rainbow.spec.in


== Features ==
The Makefile includes 'Makefile.fedora' one level higher and builds rpms for personal testing based on some variables defined in Makefile.package


=== Activity Installation ===
When I'm happy with the result, then I scratch-build in koji, fix up any final nitpicks and build the release in koji.


permissions is a stub that I hope to fill out this weekend based on the secure installation work that marcopg and neuralis did together a few weeks ago
== D-Bus Configuration ==


=== Activity Launching ===
Here, conf contains some configuration files that need to be installed onto the system during setup.
session-olpc.conf is probably the most important of these since it applies some unusual dbus rules to allow many uids to use the same session bus.

marcopg> how is that loaded? is the sugar script using it?

m_stone> [http://dev.laptop.org/git?p=sugar;a=blob;f=bin/sugar.in;h=140c56ef7306e04e8c71ac4c89dab286d01199e1;hb=bde0e167a32eab3e697d5aeb7fffcd0b1be5b1b0 /usr/bin/sugar] uses that config file if /etc/olpc-security is present and uses the regular one otherwise.

marcopg> what is <olpc>on</olpc> (in session-olpc.conf)

marcopg> that enables coderanger security stuff in dbus?

m_stone> correct, though, since we're no longer using vserver, coderanger's dbus stuff will need some revision.

m_stone> Note that the <olpc> tag is commented out at present.

== Secure Activity Installation ==

permissions is a stub that I hope to fill out this weekend based on the secure installation work that marcopg and neuralis did together a few weeks ago


The key functions for launching activities are
== Architecture ==
*[http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/stages/sugar.py;h=ad68b168d1cbab33a511d65d25e44a8151d06e60;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l10 stages/sugar.py:begin()],
*[http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/stages/sugar.py;h=ad68b168d1cbab33a511d65d25e44a8151d06e60;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l72 stages/sugar.py:prepare()], and
*[http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/stages/activation.py;h=97228604c9781b3129767f4374e25f345ef49197;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l16 stages/activation.py:launch()].


These functions are called in the order listed from
The key functions for launching activities are [http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/stages/sugar.py;h=ad68b168d1cbab33a511d65d25e44a8151d06e60;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l10 stages/sugar.py:begin()],
[http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/stages/sugar.py;h=ad68b168d1cbab33a511d65d25e44a8151d06e60;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l72 stages/sugar.py:prepare()], and
*[http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/targets/sugar.py;h=504e4ae5fcad44fe70b8eb32403319ea451353ee;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l8 targets/sugar.py:launch()] and
[http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/stages/activation.py;h=97228604c9781b3129767f4374e25f345ef49197;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l16 stages/activation.py:launch()].
*[http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/targets/sugar.py;h=504e4ae5fcad44fe70b8eb32403319ea451353ee;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l28 targets/sugar.py:_exile()]


which are, in turn, called from
These functions are called in the order listed from [http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/targets/sugar.py;h=504e4ae5fcad44fe70b8eb32403319ea451353ee;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l8 targets/sugar.py:launch()] and [http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/targets/sugar.py;h=504e4ae5fcad44fe70b8eb32403319ea451353ee;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l28 targets/sugar.py:_exile()] which are, in turn, called from [http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/service.py;h=aaa6fc140511a5d9c08f25319b9c6f8f106c8cc6;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l57 service.py:Rainbow.CreateActivity()]
*[http://dev.laptop.org/git?p=users/mstone/security;a=blob;f=rainbow/rainbow/service.py;h=aaa6fc140511a5d9c08f25319b9c6f8f106c8cc6;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424#l57 service.py:Rainbow.CreateActivity()]


These six functions (and the relatively simple helpers they call) exhaust the functionality provided by rainbow-0.7.0.
These six functions (and the relatively simple helpers they call) exhaust the functionality provided by rainbow-0.7.0.

Revision as of 20:20, 3 November 2007

This page is a guided tour of the source code of the rainbow-0.7.0 release.

Source Code Overview

please start at http://dev.laptop.org/git?p=users/mstone/security;a=tree;f=rainbow;h=b76a41fcc968b22196b14fa868e50db0f4b1b9bc;hb=b6a2a0c96f522956a69871c6d839bc67d2f78424 


 rainbow
  |--- conf : installation-time configuration files
  |     \--- session-olpc.conf : applies some unusual dbus rules to allow many uids
  |                              to use the same session bus and enables OLPC-specific 
  |                              dbus access checks. When /etc/olpc-security exists, 
  |                              session-olpc.conf is loaded by /usr/bin/sugar 
  | 
  |--- docs : explanations & notes
  |     |--- README
  |     \--- DESIGN
  |     *--- rainbow.txt
  |
  |--- rainbow : source code
  |     |--- util
  |     |--- stages
  |     |--- targets
  |     \--- service.py
  |
  |--- rainbow.spec.in : spec-file template for building RPMS
  \--- Makefile.package : package-specific variables for use in ../Makefile.fedora
  *--- ../Makefile.fedora : rules for making local snapshot builds and 
                            internal releases, prior to pushing to Fedora


Features

Activity Installation

permissions is a stub that I hope to fill out this weekend based on the secure installation work that marcopg and neuralis did together a few weeks ago

Activity Launching

The key functions for launching activities are

These functions are called in the order listed from

which are, in turn, called from

These six functions (and the relatively simple helpers they call) exhaust the functionality provided by rainbow-0.7.0.

Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Taste_the_Rainbow:0.7.0&oldid=75303"