Rainbow/Current Situation

From OLPC
< Rainbow
Revision as of 21:11, 12 June 2009 by Mstone (talk | contribs)
Jump to navigation Jump to search

Rainbow :: git :: sources :: rainbow-0.8.6.tar.bz2 :: announcement


Design

Rainbow has been implemented according to three designs to date. The present design, implemented in the "rainbow-0.8.*" series, works like this:

rainbow-0.8.* isolates programs (processes) by confining them to accounts with access control credentials which limit the confined programs' ability to commit side-effects like filesystem I/O.

In particular, rainbow-0.8.* provides isolation by means of traditional Unix permissions. It creates the accounts used for this task by means of an NSS module which modifies the appropriate system databases.

Implementation Structure

rainbow-0.8.* is used via a "UI" like rainbow-run "exec-wrapper" or some higher-level tool based on that program such as the rainbow-easy convenience wrapper.

  1. The UI is responsible for figuring out what to do and for handing that information to a separate injection library.
  2. The injection library is responsible for:
    • acting on isolation requests by manipulating persistent state held in a filesystem spool,
    • dropping privilege, and
    • handing control to the program being isolated.
  3. Finally, the rainbow NSS module lets other programs read the rainbow spool through the usual POSIX APIs for reading system databases.

This structure was chosen to so that rainbow can be used from freedesktop.org .desktop launcher files, from the command-line, and from custom graphical shells like Sugar with equal ease and so that changes to rainbow can operate without munging important system files like /etc/passwd and /etc/group.

Notes

  1. State is maintained in a simple filesystem-embedded microformat.
    • Reservations are recorded in foo_pool
    • Maps are named foo_to_bar
    • Key-value pairs are entries are symlinks from key to value.
    • SQLite would have worked just as well.
  2. We provide isolation by generating low-privilege accounts through the NSS module, then by calling things like
    • setrlimit()
    • setgroups()
    • setgid()
    • setuid()
  3. Task-specific "assistant" program like rainbow-xify or rainbow-sugarize provide isolated software with access to task-specific shared resources like:
    • D-Bus sockets,
    • D-Bus cookies,
    • X sockets,
    • X cookies, and
    • temporary filesystems
  4. Mounting filesystems needs to be done as root and is presently done in a new filesystem namespace (see CLONE_NEWNS) in order to reduce resource leakage.

Idioms

See User:Mstone/Tricks for more detail.