[cap-talk] Google Chrome - web browser with sandboxed rendering

Matej Kosik kosik at fiit.stuba.sk
Thu Sep 4 03:30:47 CDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rob,

Rob Meijer wrote:
> On Wed, September 3, 2008 22:23, Ben Laurie wrote:
> 
>>> what about POLA and the solution to the plugin problem?
>> Broad comment on POLA and plugins: if you want to use POLA for
>> plugins, then you need an environment that supports it. There aren't
>> many candidates. E? Caja? Joe-E?
>>
> 
> I may be missing something, but if the plugin was to run in a seperate
> confined process with an IPC channel to the main application as its only
> initial source of authority, the plugin could even be written in the
> absolute worse style of C.
> 
> I think running plugins with least authority at this stage should be
> mostly about sandboxing and IPC techniques in order to confine the plugin
> process to least authority, and much less about using fine grained ocap
> enviroments to confine each object within the plugin to least authority.
> 
> In Linux you could use AppArmor to confine access to the filesystem to a
> minimum, uid based rules in iptables to deny all initiation of networking,
> and unix domain sockets for communication of filesystem and networking
> handles. Running the plugin under a uid that is denied networking
> initiation with a restrictive AppArmor profile and communication to the
> browser using one or more unix domain sockets as IPC channel would get you
> prety close to least authority.

You cannot decide the security policy for an application if you do not
know what authority it requires.

For example, if you banned by default all network access to all Flash
applications, some useful Flash applications would stop working because
they indeed need to make TCP connection to a remote machine.

Can you handle this situation with AppArmor/... ?

I think, the answer does not solely lie in the land of security
infrastructure (it is not solely a question if not AppArmor then what).
The answer is the way how *applications* are developed (and subsequently
also appropriate OS).

> I don't know much about these type of mechanisms in Vista or XP, but it
> would seem that given what Polaris does, what personal firrewalls do and
> what virusscanners do, there should be sufficient possibilities to do the
> same on these platforms.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAki/nLYACgkQL+CaXfJI/hjrAgCdF9qV0HXgqtREhAMux0VSI3nh
OncAn0qd4etzlSmsLSkWHsxqqGGaPcvD
=XIvn
-----END PGP SIGNATURE-----


More information about the cap-talk mailing list