[cap-talk] Google Chrome - web browser with sandboxed rendering

Ben Laurie benl at google.com
Thu Sep 4 05:13:40 CDT 2008 

On Thu, Sep 4, 2008 at 7:23 AM, Rob Meijer <capibara at xs4all.nl> wrote:
> On Wed, September 3, 2008 22:23, Ben Laurie wrote:
>
>>> what about POLA and the solution to the plugin problem?
>>
>> Broad comment on POLA and plugins: if you want to use POLA for
>> plugins, then you need an environment that supports it. There aren't
>> many candidates. E? Caja? Joe-E?
>>
>
> I may be missing something, but if the plugin was to run in a seperate
> confined process with an IPC channel to the main application as its only
> initial source of authority, the plugin could even be written in the
> absolute worse style of C.
>
> I think running plugins with least authority at this stage should be
> mostly about sandboxing and IPC techniques in order to confine the plugin
> process to least authority, and much less about using fine grained ocap
> enviroments to confine each object within the plugin to least authority.

Well, I won't argue that this is another way to achieve the same goal,
but it doesn't seem to me to be much easier or more compelling than
the other possibilities.

> In Linux you could use AppArmor to confine access to the filesystem to a
> minimum, uid based rules in iptables to deny all initiation of networking,
> and unix domain sockets for communication of filesystem and networking
> handles. Running the plugin under a uid that is denied networking
> initiation with a restrictive AppArmor profile and communication to the
> browser using one or more unix domain sockets as IPC channel would get you
> prety close to least authority.
> I don't know much about these type of mechanisms in Vista or XP, but it
> would seem that given what Polaris does, what personal firrewalls do and
> what virusscanners do, there should be sufficient possibilities to do the
> same on these platforms.
>
> Rob
>
>
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>

More information about the cap-talk mailing list