From: crossd at gmail.com (Dan Cross)
Subject: [COFF] Other OSes?
Date: Sun, 8 Jul 2018 22:44:23 -0400 [thread overview]
Message-ID: <CAEoi9W6ZiYGzRPTcD5eX7UqG0KWEOKp95cGsA=E2AhAqceiVPA@mail.gmail.com> (raw)
In-Reply-To: <20180708163150.0c9e1870@jabberwock.cb.piermont.com>
On Sun, Jul 8, 2018 at 4:31 PM Perry E. Metzger <perry at piermont.com> wrote:
> [snip]
> On Wed, 4 Jul 2018 23:40:36 -0700 Bakul Shah <bakul at bitblocks.com>
> wrote:
> > - Capabilities (a number of OSes implemented them -- See Hank
> > Levy's book: https://homes.cs.washington.edu/~levy/capabook/
>
> A fascinating resurrection of capabilities in a kind of pleasant
> Unixy-way can be found in Robert Watson's "Capsicum" add-ons for
> FreeBSD and Linux. I wish it was more widely known about and adopted.
>
> > - Namespaces (plan9)
>
> A good choice I think.
Interestingly, it was in talking with Ben Laurie about a potential security
model for Akaros that I realized the correspondence between Plan9-style
namespaces and capabilities. Since Akaros had imported a lot of plan9
namespace code, we concluded that we already had the building blocks for a
capability-style security model with minimal additional work. I
subsequently concluded that Capsicum wasn't strong enough to be complete.
By way of example, I refer back to my earlier question about networking.
For example, rights(4) on FreeBSD lists CAP_BIND, CAP_CONNECT, CAP_ACCEPT
and other socket related capabilities. That's fine for modeling whether a
process can make a *system call*, but insufficient for validating the
parameters of that system call. Being granted CAP_CONNECT lets me call
connect(2), but how do I model a capability for establishing a TCP
connection to some restricted set of ports on a restricted set of
destination hosts? CAP_BIND let's me call bind(2), but is there some
mechanism to represent the capability of only being able to bind(2) to TCP
port 12345? I imagine I'd want to make it so that I can restrict the
network 5-tuple a particular process can interact with based on some local
policy, but Capsicum as it stands seems too coarse-grained for that.
Similarly with file open's, etc.
Curiously, though it wasn't specifically designed for it, but it seems like
the namespace-style representation of capabilities would be simultaneously
more Unix-like and stronger: since the OS only has system calls for
interacting with file-like objects (and processes, but ignore those for a
moment) in the current namespace, a namespace can be constructed with
*exactly* the resources the process can interact with. Given that
networking was implemented as a filesystem, one can imagine interposing a
proxy filesystem that represents the network stack to a process, but
imposes policy restrictions on how the stack is used (e.g., inspecting
connect establishment requests and restricting them to a set of 5-tuples,
etc).
- Dan C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/coff/attachments/20180708/25ff8ef9/attachment.html>
next prev parent reply other threads:[~2018-07-09 2:44 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-05 5:56 wkt
2018-07-05 6:29 ` spedraja
2018-07-05 6:40 ` bakul
2018-07-05 15:23 ` clemc
2018-07-05 20:49 ` scj
2018-07-05 21:25 ` david
2018-07-06 15:42 ` gtaylor
2018-07-05 22:38 ` ralph
2018-07-05 23:11 ` bakul
2018-07-06 0:06 ` lm
2018-07-06 15:49 ` gtaylor
2018-07-06 0:52 ` tytso
2018-07-06 5:59 ` ralph
2018-07-06 15:59 ` gtaylor
2018-07-06 16:10 ` ralph
2018-07-06 16:47 ` gtaylor
2018-07-06 15:57 ` gtaylor
2018-07-06 15:38 ` gtaylor
2018-07-09 1:56 ` tytso
2018-07-09 3:25 ` gtaylor
2018-07-09 3:35 ` crossd
2018-07-09 3:43 ` gtaylor
2018-07-09 3:52 ` imp
2018-07-09 11:32 ` perry
2018-07-09 11:50 ` perry
2018-07-09 11:34 ` crossd
2018-07-09 5:23 ` tytso
2018-07-09 12:52 ` clemc
2018-07-09 13:06 ` [COFF] PiDP Obsolesces Guaranteed clemc
2018-07-09 14:39 ` [COFF] Other OSes? tytso
2018-07-09 14:46 ` clemc
2018-07-09 11:24 ` perry
2018-07-05 22:51 ` ewayte
2018-07-08 20:31 ` perry
2018-07-08 20:53 ` perry
2018-07-09 2:44 ` crossd [this message]
2018-07-10 5:30 ` bakul
2018-07-16 14:49 ` crossd
2018-07-16 16:59 ` [COFF] Capabilities (was " bakul
2018-07-06 0:55 ` [COFF] " crossd
2018-07-06 5:42 ` bakul
2018-07-09 2:51 ` crossd
2018-07-10 5:41 ` bakul
2018-07-06 4:04 ` grog
2018-07-06 16:10 ` gtaylor
2018-07-06 18:27 ` [COFF] Editor Scripts scj
2018-07-06 19:04 ` gtaylor
2018-07-08 20:50 ` [COFF] Other OSes? perry
2018-07-08 23:27 ` bakul
2018-07-09 0:00 ` grog
2018-07-09 0:13 ` perry
2018-07-09 0:05 ` crossd
2018-07-09 0:56 ` lm
2018-07-09 2:23 ` crossd
2018-07-09 0:11 ` perry
2018-07-09 0:19 ` crossd
2018-07-09 2:00 ` bakul
2018-07-09 3:02 ` [COFF] Origination of awful security design [COFF, COFF] bill
2018-07-09 13:10 ` [COFF] Other OSes? david
2018-07-09 13:17 ` perry
2018-07-09 13:13 ` perry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEoi9W6ZiYGzRPTcD5eX7UqG0KWEOKp95cGsA=E2AhAqceiVPA@mail.gmail.com' \
--to=coff@minnie.tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).