[cap-talk] Google Chrome - web browser with sandboxed rendering

[Rob Meijer]

On Wed, September 3, 2008 22:23, Ben Laurie wrote:

>> what about POLA and the solution to the plugin problem?
>
> Broad comment on POLA and plugins: if you want to use POLA for
> plugins, then you need an environment that supports it. There aren't
> many candidates. E? Caja? Joe-E?
>

I may be missing something, but if the plugin was to run in a seperate
confined process with an IPC channel to the main application as its only
initial source of authority, the plugin could even be written in the
absolute worse style of C.

I think running plugins with least authority at this stage should be
mostly about sandboxing and IPC techniques in order to confine the plugin
process to least authority, and much less about using fine grained ocap
enviroments to confine each object within the plugin to least authority.

In Linux you could use AppArmor to confine access to the filesystem to a
minimum, uid based rules in iptables to deny all initiation of networking,
and unix domain sockets for communication of filesystem and networking
handles. Running the plugin under a uid that is denied networking
initiation with a restrictive AppArmor profile and communication to the
browser using one or more unix domain sockets as IPC channel would get you
prety close to least authority.
I don't know much about these type of mechanisms in Vista or XP, but it
would seem that given what Polaris does, what personal firrewalls do and
what virusscanners do, there should be sufficient possibilities to do the
same on these platforms.

Rob