[cap-talk] POSIX capabilities and standard Posix ambient authority.

[David Wagner]

Rob J Meijer <rmeijer at xs4all.nl> writes:
>maybe now would be a good time to see if POSIX capabilities
>combined with the 'at' set of syscalls could not be extended in a way to
>facilitate efficient and usefull mechanisms. [...]
>
>Do you guys think it viable to try to together write a proposal (and if
>possible implement it as a patchset for linux) that defines
>CAP_AMBIENT_AUTHORITY as POSIX capability, defining all the syscalls and
>possibly syscall/attribute combinations that are covered by this?

POSIX capabilities are a disaster.

Finding some way to turn off all ambient authority would be interesting,
though I don't see why it needs to be a POSIX capability (there would
be many ways to communicate to the kernel that you want to turn off all
ambient authority).

Have you looked at Linux seccomp?  You could view it as shutting off
all ambient authority in a blanket way.

Combining something like seccomp with file descriptor passing and a
subset of the *at() syscalls might let you do something useful here.
I could imagine building a pretty nice implementation of plash on top
of that substrate.

One challenge will be to figure out what to do about resources that
aren't represented as files (e.g., network access).

Also look at Dan Bernstein's brief web page on sandboxing Unix processes.

The killer issue with operating system mechanisms, from a practical
point of view, is that anything you do will be very difficult to make
portable across a broad variety of operating systems.  Even if you can
get your solution adopted by mainline Linux, say (which is itself a
huge challenge), getting it adopted by the BSDs, Solaris, etc., is likely
to be very tough.  It's very hard to get a foothold here.