[cap-talk] Applications for a capability platform (was: OS juncture papers)

Toby Murray toby.murray at comlab.ox.ac.uk
Fri Feb 29 13:03:08 EST 2008 

On Fri, 2008-02-29 at 12:49 -0500, Jonathan S. Shapiro wrote:
> As I understand it, PLASH proceeds by establishing a new file name space
> just prior to application start, and binding capabilities in the name
> space in a way that is consistent with the application's expectations
> and requirements.
> 
> The net effect of this is that the application is oblivious to the fact
> that it runs within a capability environment, and no "caplib" is
> required. A major point of PLASH is that application re-engineering is
> not required.
> 
> That said, however, I think we can then start to look at hybrid
> solutions that would augment PLASH with things like a power box. These
> would require source-level modification of the applications or their
> runtime libraries (e.g. Gnome), but such modifications would be
> well-localized within the respective applications.

Plash already implements a powerbox. As well as using a modified glibc
(to turn open() etc. into capability invocations), it also includes a
library that can be LD_PRELOADed to intercept calls to the GTK File
Chooser to turn these into capability invocations on a powerbox. 

This allows regular programs like editors and such to work as expected
and be oblivious to their capability-based underpinnings.

Essentially, Plash presents a POSIX interface implemented on top of a
capability system. (The fact that the entire cap system is implemented
in userspace on top of a real POSIX system isn't really relevant here.)
 
> > Hmmm.  Of course much (most?) of the GNU suite of software was
> > available 10 years ago.
> 
> Yes. But outside of a few developers, nobody gives a damn (or should).
> The applications that actually deliver value to the world at large are
> things like Evolution (email), Firefox (browsing), and OpenOffice. It is
> also noteworthy that NONE of these are GNU applications.

These applications all depend on the standard POSIX interfaces. However,
Plash indicates that such interfaces can be reimplemented on top of a
capability system and, furthermore, when one does so, one ends up with a
POSIX environment that more naturally lends itself to POLA.

This is why I've always loved the Unestos (also known as Asnix) design
presented here that shares many similarities with Plash.
http://www.usenix.org/event/hotos05/final_papers/full_papers/krohn/krohn.pdf

More information about the cap-talk mailing list