Rainbow: Difference between revisions
m (Reverted edits by 77.64.72.243 (Talk) to last revision by FGrose) |
|||
(92 intermediate revisions by 8 users not shown) | |||
Line 1: | Line 1: | ||
{{OLPC}} |
|||
{{developers}} |
|||
{{translations}} |
{{translations}} |
||
<noinclude>{{Google Translations}} |
|||
<noinclude>{{ GoogleTrans-en | es =show | bg =show | zh-CN =show | zh-TW =show | hr =show | cs =show | da =show | nl =show | fi =show | fr =show | de =show | el =show | hi =show | it =show | ja =show | ko =show | no =show | pl =show | pt =show | ro =show | ru =show | sv =show }}</noinclude> |
|||
[[Category:Security]] |
|||
== Introduction == |
|||
</noinclude>{{Rainbow page}} |
|||
The [[OLPC Bitfrost|Bitfrost]] security specification argues that existing desktop security conventions do not meet the security needs: |
|||
* of adventurous kids in 1-1 computing programs, |
|||
* of the technical staff who help maintain such initiatives, and |
|||
* of the political constituencies which determine where such programs take place. |
|||
The most serious inadequacy of such systems is that they force end-users to take unnecessary security risks (for example, giving all programs a user runs access to the network, to auto-start facilities, and to other programs' data files) while simultaneously denying users the opportunity to do things which can be done safely but which were not anticipated by the system administrator (notably, installing new software or modifying the local system.) |
|||
Consequently, [[Security credits#Activity Isolation|we]] wrote [http://dev.laptop.org/git/users/mstone/security/tree/rainbow Rainbow]. |
|||
Rainbow implements this isolation by generating a new uid (and perhaps a new gid) for each program it is asked to run. Running each activity as a separate user means that standard Unix access checks can be used as the primary 'gate' to control the visibility of activity-driven side-effects like reading from or writing to files or devices or signalling other processes. |
|||
Rainbow is an isolation shell. This means two things: |
|||
== For Activity Developers == |
|||
# ''shell'': Rainbow runs programs on behalf of humans and programs. Rainbow provides those programs with a suitable environment: places in which temporary and persistent data can be stored, environment variables to identify those places, etc. |
|||
When the user asks Sugar to start your activity, Rainbow is the software which actually asks the Linux kernel to do the 'starting'. However, in order to achieve the security goals described in Bitfrost, it places some restrictions on your software. You can find out more about these restrictions in the [[Low-level Activity API#Security|low-level activity api]] documentation. (In the future, the [[Sugar almanac]] may also contain some similar information). |
|||
# ''isolation'': People and programs should use Rainbow when they want to isolate programs from other programs and important system resources. "Isolation" is already a familiar concept to most UNIX programmers: many system daemons already operate using their own unique UID and/or GID, and most have private places in which they store their configuration. Rainbow generalizes and extends this paradigm by providing every program it runs with a unique identity, with private storage, with pre-configured resource usage limits, etc. |
|||
At the moment, Rainbow only knows how to provide the same primitive form of filesystem and signal isolation that competent sysadmins provide to users of multi-user Unix shell servers. |
|||
=== Disabling Rainbow for Testing === |
|||
However, '''[[Security#Contributions|contributions]]''' are welcome, particularly contributions which advance [[Rainbow/Next Steps|existing plans]]. |
|||
Sugar's use of Rainbow can be trivially disabled by running |
|||
'''Information about rainbow-0.8.*''' |
|||
rm /etc/olpc-security |
|||
* [[Rainbow/Current Situation|current situation]]: feature, design, and implementation notes for rainbow-0.8.* |
|||
as root. It can be re-enabled by running |
|||
* [[Rainbow/Installation Instructions|installation instructions]] for rainbow-0.8.* |
|||
* [[Rainbow/Testing|testing]] instructions for rainbow-0.8.* |
|||
* [[Rainbow/Next Steps|next steps!]] |
|||
* [[Rainbow/Demo Ideas|demo ideas]] |
|||
'''Other Information''' |
|||
touch /etc/olpc-security |
|||
* notes for [[Rainbow/Information for Activity Developers|Activity Developers]], for Sugar 0.82 and rainbow-0.7.* |
|||
also as root. |
|||
* [[Rainbow/Historical Designs|historical design comparisons]], for rainbow-0.6.*, -0.7.*, and -0.8.* |
|||
* [[Rainbow/Curiosities|curiosities]] |
|||
== Design and Implementation == |
|||
==Subpages== |
|||
Rainbow has been implemented according to three designs to date. |
|||
(Titles in ''italics'' redirect to another page.){{Special:PrefixIndex/{{PAGENAME}}/}} |
|||
=== 0.8-series === |
|||
The 0.8 series is designed as an [http://en.wikipedia.org/wiki/Chain_loading "exec-wrapper"]. The "rainbow-run" wrapper is receives control from the shell, performs any requested isolation steps, then hands control over to isolated program. This way, rainbow can be used from freedesktop.org [http://standards.freedesktop.org/desktop-entry-spec/latest/ .desktop] launcher files, from the command-line, and from custom graphical shells like [[Sugar]] with equal ease. |
|||
=== 0.7-series === |
|||
The 0.7 series was designed as a privileged [http://www.freedesktop.org/wiki/Software/dbus dbus] [http://en.wikipedia.org/wiki/Daemon_(computer_software) daemon]. Sugar calls into this daemon when it wants to launch activities. An advantage of having a daemon is that the daemon can cache the results of expensive computations like python module loading. The problem with the daemon is that it consumes extra memory and that its caching behavior can cause many frustrating bugs. |
|||
=== vserver-series === |
|||
The first implementation of rainbow (and of [[olpc-update]]) used a containerization technology called [http://linux-vserver.org VServer] to implement extensive isolation including network and CPU usage limits. Unfortunately, these early implementations revealed fundamental race conditions in the custom vserver patches provided to OLPC and the OLPC kernel team was unwilling to support the patches. [[User:Mstone|Michael Stone]] created a new design outline, written up in [http://dev.laptop.org/git?p=security;a=blob;f=rainbow.txt;hb=HEAD rainbow.txt] which explained how Bitfrost could be approached without vserver and vserver was removed from the kernel. |
|||
== Testing == |
|||
=== Automated === |
|||
See [http://dev.laptop.org/git/users/mstone/test-rainbow test-rainbow]. This code sets up a [http://fedoraproject.org/wiki/Projects/Mock mock] chroot in which rainbow can be tested, then runs a [http://dev.laptop.org/git?p=users/mstone/test-rainbow;a=blob;f=suggestions;hb=HEAD small multi-user test script]. |
|||
=== Fedora === |
|||
# on rawhide: |
|||
yum install rainbow |
|||
... |
|||
=== Ubuntu === |
|||
[https://launchpad.net/~codewiz/+archive/ppa Bernie's PPA] contains some basic rainbow packages which you can install. |
|||
=== jhbuild === |
|||
# TBD; talk to Sascha Silbe for help. |
|||
=== SoaS === |
|||
# TBD; talk to ??? for help. |
|||
== Filing Bugs == |
|||
General instructions are available on how to [[Reporting bugs|report bugs]]. |
|||
== Coding == |
|||
Rainbow needs your help to be awesome. Some broad ideas on how to make it more awesome are described in the [[#Next Steps]] section. In the short term, though, the best way to help is to test it, to file bugs, and to help get it packaged in more distributions. |
|||
== Packaging == |
|||
Please bring Rainbow to your favorite distribution. (So far, Rainbow is available for Fedora and, via bernie's PPA, for Ubuntu Jaunty.) |
|||
== Next Steps == |
|||
; Accessibility to Developers |
|||
: Debian packaging + cli interface + pristine-root + automated testing |
|||
: code: see the 'integration' branches of [http://dev.laptop.org/git?p=users/mstone/security;hb=integration;a=commit rainbow] and [http://dev.laptop.org/git?p=users/mstone/nss-rainbow;hb=integration;a=commit nss-rainbow] and the 'master' branch of [http://dev.laptop.org/git?p=users/mstone/test-rainbow;a=commit test-rainbow] |
|||
; P_NETWORK |
|||
: See [[Isolation LSM]], http://lkml.org/lkml/2009/1/7/18, http://lkml.org/lkml/2009/1/7/613, and http://lxc.sourceforge.net. |
|||
; P_DOCUMENT* |
|||
: See [[Olpcfs]] and [[Journal reloaded]], other thoughts welcome. |
|||
; P_X |
|||
: -- we'll start by trying out XSECURITY (i.e. by making activities untrusted clients) and see where that leaves us. Then on to XACE as per [http://lists.laptop.org/pipermail/security/2008-April/000390.html previous discussion] |
|||
:: -- unfortunately, it seems (c.f. ssh man page) that most apps break when you treat them as untrusted clients. Hmm. |
|||
== Demo Ideas == |
|||
* (paraphrase): "The insight behind Rainbow is that the problem of isolating an operator from his/her programs is similar to the problem of isolating users of a shared server from one another and from root." -- ''C. Scott Ananian'' |
|||
* "I see the cool parts [of Rainbow] as (1) per-instance isolation, (2) isolation without virtualization, and (3) isolation using the uid mechanisms. All three are unique and impressive." ''-- Ben Schwartz'' |
|||
: ''(NB: Actually, lots of other people have played with these ideas. [http://plash.beasts.org/wiki/ plash] is a compelling example.)'' |
|||
Ideas: |
|||
* Give people an isolated Terminal to play in. |
|||
* Show off rlimits with a fork-bomb. |
|||
* Show off filesystem protections -- rm -rf, restriction of readable dirs, etc. |
|||
== Items of Historical Interest == |
|||
* [http://dev.laptop.org/git?p=security;a=blob;f=rainbow/README;hb=HEAD README] - A description of the original scope and design of Rainbow. |
|||
* [http://dev.laptop.org/git?p=security;a=blob;f=rainbow/NOTES;hb=HEAD Notes] - Notes on design and hurdles in developing Rainbow. |
|||
* [[Rainbow/DataStore Access]] - thoughts on datastore access mechanisms, superseded by [[Olpcfs]]. |
|||
* [http://lists.laptop.org/pipermail/security/2008-January/000370.html "Why not SELinux?"] |
|||
* [http://lists.laptop.org/pipermail/sugar/2007-November/003725.html "Bitfrost Compliance for Update.1" announcement mail] |
|||
* {{Ticket|2732}}, {{Ticket|2906}}, {{Ticket|4184}} - influential tickets in the history of rainbow |
|||
[[Category:Software]] |
|||
[[Category:Security]] |
Latest revision as of 21:00, 26 November 2011
Rainbow :: git :: sources :: rainbow-0.8.6.tar.bz2 :: announcement
The Bitfrost security specification argues that existing desktop security conventions do not meet the security needs:
- of adventurous kids in 1-1 computing programs,
- of the technical staff who help maintain such initiatives, and
- of the political constituencies which determine where such programs take place.
The most serious inadequacy of such systems is that they force end-users to take unnecessary security risks (for example, giving all programs a user runs access to the network, to auto-start facilities, and to other programs' data files) while simultaneously denying users the opportunity to do things which can be done safely but which were not anticipated by the system administrator (notably, installing new software or modifying the local system.)
Consequently, we wrote Rainbow.
Rainbow is an isolation shell. This means two things:
- shell: Rainbow runs programs on behalf of humans and programs. Rainbow provides those programs with a suitable environment: places in which temporary and persistent data can be stored, environment variables to identify those places, etc.
- isolation: People and programs should use Rainbow when they want to isolate programs from other programs and important system resources. "Isolation" is already a familiar concept to most UNIX programmers: many system daemons already operate using their own unique UID and/or GID, and most have private places in which they store their configuration. Rainbow generalizes and extends this paradigm by providing every program it runs with a unique identity, with private storage, with pre-configured resource usage limits, etc.
At the moment, Rainbow only knows how to provide the same primitive form of filesystem and signal isolation that competent sysadmins provide to users of multi-user Unix shell servers.
However, contributions are welcome, particularly contributions which advance existing plans.
Information about rainbow-0.8.*
- current situation: feature, design, and implementation notes for rainbow-0.8.*
- installation instructions for rainbow-0.8.*
- testing instructions for rainbow-0.8.*
- next steps!
- demo ideas
Other Information
- notes for Activity Developers, for Sugar 0.82 and rainbow-0.7.*
- historical design comparisons, for rainbow-0.6.*, -0.7.*, and -0.8.*
- curiosities
Subpages
(Titles in italics redirect to another page.)