Linux, IRIX, and "POSIX Capabilities"
Eric Messick
eric@syzygy.com
Sun, 7 Nov 1999 23:03:34 -0800
In message <Pine.LNX.4.10.9911072143280.456-100000@skuld.lfw.org>, Ka-Ping Yee <ping@lfw.org> wrote:
>[...] -- some options appear to be:
>
> a) leave Linux alone, and interoperate, as Tyler suggests;
>
> b) build a capability abstraction on top of the Unix
> security model somehow, which people can then write
> trustable applications against;
>
> c) advocate changes to the Linux security model;
>
> d) advocate a move to a new underlying operating system.
>
>I welcome other options anyone may care to suggest.
How about
e) build a set of unix libraries on top of a capability secure system.
I must admit, I'm not sure this can actually be done, but I think it
should be considered. Wouldn't it be nice to have a capability secure
system where you could run all of that old unix software?
Everything in unix is a file. Wrapping a capability wrapper around
files is doable. We did just that at EC.
Files are referred to by programs either as file descriptors (which
already behave a lot like capabilities) or by name. It's the name
part that is tricky.
Consider a system where every individual program was running in it's
own file system namespace. These namespaces could overlap, but the
rules for their overlap would have to satisfy capability semantics.
The shell is where the user says which files a given program should
operate on. Creating a set of clean understandable semantics for this
is where my gesticulations become somewhat wild.
-eric