[cap-talk] A Taxonomy of Current Object-Cap Systems

Rob Meijer capibara at xs4all.nl
Thu Mar 5 16:11:41 EST 2009 

On Thu, March 5, 2009 19:59, Lorens Kockum wrote:
> On Thu, Mar 05, 2009 at 07:04:33PM +0100, Rob Meijer wrote:
>> AppArmor provides the facilities for this taking away much ambient
>> authority (for the filesystem). The iptables owner match provides the
>> facilities for taking away ambient authority for networking.
>
> Unfortunately, the iptables owner match would be a classic
> example of an ambient authority ACL.

Depending on how you use it. If you fully disallow all owner uids for all
but a single one or a small set that you use to delegate listening and
connected sockets from, it no longer is IMO.

> That said, I'd be interested in knowing if AppArmor could
> *without invading the whole system* be made to "sandbox" a given
> process in a plash-like way (like starting Netscape^WFirefox
> with only read-only rights to their libs, a space for temp
> files, rights to execute systems programs with read-write rights
> only in the temp space...) That would eliminate a whole class of
> problems right there.

Have a look at MinorFs. MinorFs is a cap as data system not an objcap
system like I feel UNIX domain sockets are. On install the MinorFs install
script creates a hard link to /bin/bash under bin/minorbash. Minorbash
runs (on AppArmorized systems such as Ubuntu and Suse) with basically a
pretty broad read only profile. MinorFs provides a private 'temp'
directory for each process, so any program accepting its temp dir to be
set would basically
work as you specify here when invoked using minorbash. You could always
create a more confined profile for individual applications, but the
minorbash profile should do a reasonable job IMO.

Networking and least authority seems quite a bit larger challange when
working with existing programs. For new programs however, using iptables
owner confinement rules and networking sockets delegated over UNIX domain
sockets would seem like an almost fully objcap way of doing things that is
like plash (and the MinorFs caps as data system) somewhere halfway between
the bare OS level of doing things and the language level.

Rob

More information about the cap-talk mailing list