[cap-talk] Google Chrome - web browser with sandboxed rendering
Ben Laurie
benl at google.com
Thu Sep 4 05:14:36 CDT 2008
On Thu, Sep 4, 2008 at 9:30 AM, Matej Kosik <kosik at fiit.stuba.sk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Rob,
>
> Rob Meijer wrote:
>> On Wed, September 3, 2008 22:23, Ben Laurie wrote:
>>
>>>> what about POLA and the solution to the plugin problem?
>>> Broad comment on POLA and plugins: if you want to use POLA for
>>> plugins, then you need an environment that supports it. There aren't
>>> many candidates. E? Caja? Joe-E?
>>>
>>
>> I may be missing something, but if the plugin was to run in a seperate
>> confined process with an IPC channel to the main application as its only
>> initial source of authority, the plugin could even be written in the
>> absolute worse style of C.
>>
>> I think running plugins with least authority at this stage should be
>> mostly about sandboxing and IPC techniques in order to confine the plugin
>> process to least authority, and much less about using fine grained ocap
>> enviroments to confine each object within the plugin to least authority.
>>
>> In Linux you could use AppArmor to confine access to the filesystem to a
>> minimum, uid based rules in iptables to deny all initiation of networking,
>> and unix domain sockets for communication of filesystem and networking
>> handles. Running the plugin under a uid that is denied networking
>> initiation with a restrictive AppArmor profile and communication to the
>> browser using one or more unix domain sockets as IPC channel would get you
>> prety close to least authority.
>
> You cannot decide the security policy for an application if you do not
> know what authority it requires.
>
> For example, if you banned by default all network access to all Flash
> applications, some useful Flash applications would stop working because
> they indeed need to make TCP connection to a remote machine.
>
> Can you handle this situation with AppArmor/... ?
>
> I think, the answer does not solely lie in the land of security
> infrastructure (it is not solely a question if not AppArmor then what).
> The answer is the way how *applications* are developed (and subsequently
> also appropriate OS).
I agree that the problem of making the security decisions is
considerably harder than that of enforcing them.
>
>> I don't know much about these type of mechanisms in Vista or XP, but it
>> would seem that given what Polaris does, what personal firrewalls do and
>> what virusscanners do, there should be sufficient possibilities to do the
>> same on these platforms.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAki/nLYACgkQL+CaXfJI/hjrAgCdF9qV0HXgqtREhAMux0VSI3nh
> OncAn0qd4etzlSmsLSkWHsxqqGGaPcvD
> =XIvn
> -----END PGP SIGNATURE-----
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
More information about the cap-talk
mailing list