[cap-talk] Linux Caps for 'non priviledged' operations?
toby.murray at comlab.ox.ac.uk
Sat Nov 4 06:49:38 CST 2006
On Sat, 2006-11-04 at 08:23 +0100, Rob J Meijer wrote:
> Having looked at a few available but rather inconvenient ways to do
> POLA on Linux
> It would seem very natural if you could:
> * create a socket pair.
> * fork
> * close one of the sockets
> * child: unset CAP_NONPRIV_AMBIENT as inheritable
> * child: exec executable
> * parent: open directories, sockets, files etc
> * parent: hand over file and directory handles to child through socket
> * child: receive directory and file handles.
> * child: operate with given handles deprived of any ambient authority
You've basically just described Plash. However, in Plash the parent uses
chroot to deprive the child of any authority (to access the filesystem).
Plash doesn't limit authority to access the network or anything else not
embodied as a file though.
If you're looking for an example of what can be accomplished in terms of
POLA on Linux (without any kernel modification) then Plash is one of
the best. I'd personally rather see more effort put into an existing
proven technology rather than seeing the POLA-on-Linux effort fragment
into a number of competing projects.
Just my 2c, though, of course.
The higher goal of POLA for Linux is laudable.
More information about the cap-talk