[cap-talk] Horton at HotSec '07: How broadly object/capability?
James A. Donald
jamesd at echeque.com
Wed Jul 11 17:53:24 EDT 2007
David Hopwood wrote:
> We cannot blame anyone outside the capabilities
> community for our collective failure to produce a
> capability OS that is complete enough to run even a
> few basic demonstration apps on a PC.
The classic explanation of how a capabilities OS would
work contrasts cp with cat, and a file chooser dialog
box with a file chooser powerbox. It is an explanation
of how to do unix right - how to have something very
similar to linux + gnome, but innately secure. So where
is something very similar to linux + gnome, but innately
secure?
If the objective is to have something very similar to
linux + gnome, but innately secure, you want to be able
to reuse as much linux and gnome code as you can - plash
on steroids with a cap shell in place of bash shell.
(Bash shell would run inside a plash sandbox, cap shell
runs above the sandboxes, and can interactively create
sandboxed bash shells with particular ambient
capabilities.) The cap shell should be as much like
bash shell as it possibly can be, and the install time
specification of plash sandboxes needs to be integrated
with something very like Synaptic Package manager -
which integration is a large part of what Bitfrost is,
though Bitfrost is very specifically written for an
alarmingly minimal laptop. If the user installs a
standard linux program outside the package manager, he
can do it but then faces the alarmingly nerdly task of
specifying plash sandbox rules, for only programs
specifically written for the capabilities OS can run
outside a sandbox.
More information about the cap-talk
mailing list