Rainbow/Current Situation: Difference between revisions
mNo edit summary |
mNo edit summary |
||
| Line 1: | Line 1: | ||
{{Rainbow page}} |
{{Rainbow page}} |
||
'''Design''' |
|||
Rainbow has been implemented according to [[Rainbow/Historical Designs|three designs]] to date. The present design, implemented in the "rainbow-0.8.*" series, works like this: |
Rainbow has been implemented according to [[Rainbow/Historical Designs|three designs]] to date. The present design, implemented in the "rainbow-0.8.*" series, works like this: |
||
| Line 6: | Line 8: | ||
In particular, rainbow-0.8.* provides isolation by means of [http://en.wikipedia.org/wiki/File_system_permissions traditional Unix permissions]. It creates the accounts used for this task by means of an [http://www.gnu.org/s/libc/manual/html_node/Name-Service-Switch.html NSS] [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/nss/nss-rainbow.c module] which modifies the appropriate [http://www.gnu.org/s/libc/manual/html_node/Users-and-Groups.html system databases]. |
In particular, rainbow-0.8.* provides isolation by means of [http://en.wikipedia.org/wiki/File_system_permissions traditional Unix permissions]. It creates the accounts used for this task by means of an [http://www.gnu.org/s/libc/manual/html_node/Name-Service-Switch.html NSS] [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/nss/nss-rainbow.c module] which modifies the appropriate [http://www.gnu.org/s/libc/manual/html_node/Users-and-Groups.html system databases]. |
||
'''Implementation''' |
|||
rainbow-0.8.* is used via the [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-run rainbow-run] [http://en.wikipedia.org/wiki/Chain_loading "exec-wrapper"] or some higher-level tool based on that program such as the [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-easy rainbow-easy] convenience wrapper. Either way, the <tt>rainbow-run</tt> wrapper eventually receives control from a higher-level shell, performs any requested [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/rainbow/inject.py isolation steps], and hands control over to isolated program. This way, rainbow can be used from [http://freedesktop.org freedesktop.org] [http://standards.freedesktop.org/desktop-entry-spec/latest/ .desktop] launcher files, from the command-line, and from custom graphical shells like [[Sugar]] with equal ease. |
rainbow-0.8.* is used via the [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-run rainbow-run] [http://en.wikipedia.org/wiki/Chain_loading "exec-wrapper"] or some higher-level tool based on that program such as the [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-easy rainbow-easy] convenience wrapper. Either way, the <tt>rainbow-run</tt> wrapper eventually receives control from a higher-level shell, performs any requested [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/rainbow/inject.py isolation steps], and hands control over to isolated program. This way, rainbow can be used from [http://freedesktop.org freedesktop.org] [http://standards.freedesktop.org/desktop-entry-spec/latest/ .desktop] launcher files, from the command-line, and from custom graphical shells like [[Sugar]] with equal ease. |
||
'''Notes''' |
|||
* We provide isolation by generating low-privilege accounts through the NSS module, then by calling things like |
|||
** <tt>setrlimit()</tt> |
|||
** <tt>setgroups()</tt> |
|||
** <tt>setgid()</tt> |
|||
** <tt>setuid()</tt> |
|||
* In order for useful software to run, we often have to provide it with access to shared resources like: |
|||
* D-Bus sockets, |
|||
* D-Bus cookies, |
|||
* X sockets, |
|||
* X cookies, and |
|||
* temporary filesystems |
|||
Most of these can be handled by a task-specific "assistant" program like [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-xify rainbow-xify] or [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-sugarize]. |
|||
Mounting filesystems, though, needs to be done as root and is presently done in a new filesystem namespace (see <tt>CLONE_NEWNS</tt>) in order to reduce resource leakage. |
|||
'''Idioms''' |
|||
See [[User:Mstone/Tricks]] for more detail. |
|||
Revision as of 20:50, 12 June 2009
Rainbow :: git :: sources :: rainbow-0.8.6.tar.bz2 :: announcement
Design
Rainbow has been implemented according to three designs to date. The present design, implemented in the "rainbow-0.8.*" series, works like this:
rainbow-0.8.* isolates programs (processes) by confining them to accounts with access control credentials which limit the confined programs' ability to commit side-effects like filesystem I/O.
In particular, rainbow-0.8.* provides isolation by means of traditional Unix permissions. It creates the accounts used for this task by means of an NSS module which modifies the appropriate system databases.
Implementation
rainbow-0.8.* is used via the rainbow-run "exec-wrapper" or some higher-level tool based on that program such as the rainbow-easy convenience wrapper. Either way, the rainbow-run wrapper eventually receives control from a higher-level shell, performs any requested isolation steps, and hands control over to isolated program. This way, rainbow can be used from freedesktop.org .desktop launcher files, from the command-line, and from custom graphical shells like Sugar with equal ease.
Notes
- We provide isolation by generating low-privilege accounts through the NSS module, then by calling things like
- setrlimit()
- setgroups()
- setgid()
- setuid()
- In order for useful software to run, we often have to provide it with access to shared resources like:
- D-Bus sockets,
- D-Bus cookies,
- X sockets,
- X cookies, and
- temporary filesystems
Most of these can be handled by a task-specific "assistant" program like rainbow-xify or [1].
Mounting filesystems, though, needs to be done as root and is presently done in a new filesystem namespace (see CLONE_NEWNS) in order to reduce resource leakage.
Idioms
See User:Mstone/Tricks for more detail.