Rainbow/Current Situation: Difference between revisions

From OLPC
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
Line 15: Line 15:
'''Notes'''
'''Notes'''


# State is maintained in a simple filesystem-based microformat.
# State is maintained in a simple filesystem-embedded microformat.
#* Reservations are recorded in <tt>'''foo'''_pool</tt>
#* Reservations are recorded in <tt>'''foo'''_pool</tt>
#* Maps are named <tt>'''foo'''_to_'''bar'''</tt>
#* Maps are named <tt>'''foo'''_to_'''bar'''</tt>
Line 25: Line 25:
#* <tt>setgid()</tt>
#* <tt>setgid()</tt>
#* <tt>setuid()</tt>
#* <tt>setuid()</tt>
# Task-specific "assistant" program like [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-xify rainbow-xify] or [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-sugarize] provide isolated software with access to task-specific shared resources like:
# In order for useful software to run, we often have to provide it with access to shared resources like:
#* D-Bus sockets,
#* D-Bus sockets,
#* D-Bus cookies,
#* D-Bus cookies,
Line 31: Line 31:
#* X cookies, and
#* X cookies, and
#* temporary filesystems
#* temporary filesystems
# Mounting filesystems needs to be done as root and is presently done in a new filesystem namespace (see <tt>CLONE_NEWNS</tt>) in order to reduce resource leakage.

Most of these can be handled by a task-specific "assistant" program like [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-xify rainbow-xify] or [http://dev.laptop.org/git/users/mstone/security/tree/rainbow/bin/rainbow-sugarize].

Mounting filesystems, though, needs to be done as root and is presently done in a new filesystem namespace (see <tt>CLONE_NEWNS</tt>) in order to reduce resource leakage.


'''Idioms'''
'''Idioms'''

Revision as of 21:00, 12 June 2009

Rainbow :: git :: sources :: rainbow-0.8.6.tar.bz2 :: announcement

Design

Rainbow has been implemented according to three designs to date. The present design, implemented in the "rainbow-0.8.*" series, works like this:

rainbow-0.8.* isolates programs (processes) by confining them to accounts with access control credentials which limit the confined programs' ability to commit side-effects like filesystem I/O.

In particular, rainbow-0.8.* provides isolation by means of traditional Unix permissions. It creates the accounts used for this task by means of an NSS module which modifies the appropriate system databases.

Implementation

rainbow-0.8.* is used via the rainbow-run "exec-wrapper" or some higher-level tool based on that program such as the rainbow-easy convenience wrapper. Either way, the rainbow-run wrapper eventually receives control from a higher-level shell, performs any requested isolation steps, and hands control over to isolated program. This way, rainbow can be used from freedesktop.org .desktop launcher files, from the command-line, and from custom graphical shells like Sugar with equal ease.

Notes

  1. State is maintained in a simple filesystem-embedded microformat.
    • Reservations are recorded in foo_pool
    • Maps are named foo_to_bar
    • Key-value pairs are entries are symlinks from key to value.
    • SQLite would have worked just as well.
  2. We provide isolation by generating low-privilege accounts through the NSS module, then by calling things like
    • setrlimit()
    • setgroups()
    • setgid()
    • setuid()
  3. Task-specific "assistant" program like rainbow-xify or [1] provide isolated software with access to task-specific shared resources like:
    • D-Bus sockets,
    • D-Bus cookies,
    • X sockets,
    • X cookies, and
    • temporary filesystems
  4. Mounting filesystems needs to be done as root and is presently done in a new filesystem namespace (see CLONE_NEWNS) in order to reduce resource leakage.

Idioms

See User:Mstone/Tricks for more detail.

Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Rainbow/Current_Situation&oldid=210078"