dynamic /bin /sbin
Matthew Dillon
dillon at apollo.backplane.com
Sat Jul 26 16:52:52 PDT 2003
There are a couple of issues here that I would like to address. One
of the biggest goals on my list will be the ability to abstract a VFS
into userland as part of the general workings of the system.. that is,
not just as a root-only exercise. I want to use such abstracted VFSs
for all sorts of cool things such as isolating packages for the purpose
of detecting and enforcing their library & configuration file
dependanciese.
This introduces some rather interesting problems that need to be solved.
I am not all that worried about the kernel<->user interface, I've got
that pretty much worked out in my head. The problems are all security
related, because now access to the VFS itself needs to be properly
secured. We can't have suid-root programs going off accessing non-root
VFSs without explicitly saying they want to, for example. On the
other hand, we *DO* want to be able to operate/simulate suidness within
sub-environments as a better way to implement a jailed environment,
and we need to be able to protect secure information on unsecure VFSs,
through encryption, in a manner that does not count on the
trustworthyness of the filesystem layer.
For example, take a situation where a secure program wishes to access
a secure space through an unesecure VFS or medium. The only way to do
this safely is not only for the data to be encrypted, but also for
the secure program to emplace its own, trustworthy VFS layer on top
of the VFS layer it is accessing which is able to verify and guarentee
the consistency of the meta-data (directory structures and so on),
and enforce constraints such access timeouts and such.
-Matt
Matthew Dillon
<dillon at xxxxxxxxxxxxx>
:Well, the problem I have specifically in mind is service discovery: one of
:the nice things (yes, there are some) about UNIX domain sockets is that
:they exist in a protected hierarchal namespace. One of the problems that
:exists in OS X is that services are looked up in a non-hierarchal
:bootstrap namespace with few controls over use of the namespace. If your
:"foo" service provider dies, another process using the same namespace can
:advertise the service. One of the cool things about Mach is that you can
:provide new namespaces wrapping old namespaces--one of the less cool
:things about it is that you can't trust the namespace and that makes the
:life of an application writer more difficult.
:
:So, for example, you want to make sure that if you use a name to
:rendezvous with your directory service, you want to make sure you can
:ensure that name is properly protected from inappropriate use. A
:hierarchal namespace with permissions of some sort is one way to do that,
:and might well make a good starting point if you start with a UNIX base.
:
:Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
:robert at xxxxxxxxxxxxxxxxx Network Associates Laboratories
More information about the Kernel
mailing list