On 2008-Jul-17, at 00:54 , Robert Watson wrote:
FWIW, I have some work in progress on the capability front, but it's
a highly complex issue that will take years to work through
properly. Unfortunately, the real issue isn't so much the OS
primitives as building up a non-trivial application base that uses
them. Providing primitives to subdivie applications isn't easy, but
once you've done that you still have to rewrite lots of applications
to take advantage of it, and in a way that shows a lot more
application programmer discipline. It's not clear to me that the
pressure is there to make feature-driven application development for
major desktop applications adopt techniques of this sort.
Realistically, this will never happen. It would require *every*one
agreeing on a single consistent API, and that just won't happen with
any sort of policy-based mechanism.
It's sad people don't pay more attention to Plan 9. Namespaces go a
long way towards solving this problem in a manner that's completely
transparent to the application, and trivial for the end-user to
configure and use.
See:
http://plan9.bell-labs.com/sys/doc/names.html
http://plan9.bell-labs.com/magic/man2html/1/0intro
http://plan9.bell-labs.com/magic/man2html/4/namespace
In a nutshell, your view of the 'filesystem' is fully mutable. A
simple 'rfork n' in the shell will instantiate a brand new instance of
the namespace, which you can then fiddle to your heart's content. E.g.
rfork n
bind /usr/ftp /
creates a namespace where /usr/ftp (by convention the anonymous FTP
directory) is now the "root" directory of the process' filesystem.
Analogous system calls exist for programmatic use. And since there is
no concept of (or need for) a 'superuser' these facilities are
available to everyone.
This makes sandboxing trivial for any number of remotely accessible
network services as well as to the interactive system user. Both files
and directories can be bind targets, and the source of the bind can as
easily be a program as a file or directory; the ability to create
secure synthetic filesystems just naturally falls out of this paradigm.
And the applications are blissfully unaware that any of this even
exists.
--lyndon
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
