[cap-talk] A Taxonomy of Current Object-Cap Systems

Rob Meijer capibara at xs4all.nl
Thu Mar 5 13:04:33 EST 2009


On Thu, March 5, 2009 17:36, David Wagner wrote:
> Rob Meijer wrote:
>> In the light of recent discussions possibly:
>>
>> * Linux + AppArmor + UNIX domain sockets.
>>
>> AppArmor can be used to remove ambient authority on Linux. UNIX domain
>> sockets can be used for IPC and can transfer other UNIX domain sockets.
>> I feel the combination of these two would qualify as a rudimentary
>> object
>> capability system, that is however pretty wide spread (Ubuntu + Suse).
>> It is currently indeed possible but pretty hard to write code for this
>> system today.
>
> I think this is a real stretch.
>
> AppArmor is not an objcap system.  It's permissions are based
> upon pathnames.
>
> I don't think "could be used as a basis to build an objcap system"
> is the same as "a working objcap system where it is possible to write
> workin gcode today".

In my view UNIX domain sockets when used for IPC have all the properties
needed to be considered object capabilities.  IMHO to turn a multi process
application using UNIX domain sockets for IPC into an object capability
system, all what is needed is to take away everything that could be
considered to be ambient authority.

AppArmor provides the facilities for this taking away much ambient
authority (for the filesystem). The iptables owner match provides the
facilities for taking away ambient authority for networking.

I feel processes using UNIX domain sockets would fit :
"a working objcap system where it is possible to write workin code today"
given that facilities like AppArmor and iptables are in place to take away
most ambient authority.

Rob



More information about the cap-talk mailing list