Re: POSIX

[Jonathan S. Shapiro]

On Wed, 2005-10-26 at 22:01 +0200, Bas Wijnen wrote:
> On Wed, Oct 26, 2005 at 02:33:08PM -0400, Jonathan S. Shapiro wrote:

> > Unfortunately, they forget that the POSIX jail has read-only access to
> > the home directory. All of your files are now disclosed to the world.
> 
> That shouldn't happen, since firefox will not have access to the filesystem
> except write-only access to ~/downloads.

This is survivable. Something in your description must have led me to
imagine a stronger degree of integration than you really had in mind.

> > Here is a second difficulty:
> > 
> > My home directory isn't really a file system. It is a mapping from
> > strings (the filenames) to capabilities. These capabilities do not name
> > files. They name objects implemented by servers. One of these servers
> > may be the file server, but at the kernel level of abstraction we do not
> > know that.
> 
> This problem, like the first one, is present for non-POSIX applications as
> well.  If you want read-only access, what do you mean by it?  How do I prevent
> my data to become shared when I don't want it?

Serious answer: the notion of read-only access is only meaningful when
the enforcement agent (in this case, the kernel) fully knows the
semantics of the objects we are manipulating. The best that is possible
in principle is to have a list of servers that we trust to implement the
restriction, and behave conservatively in other cases.

> All the things that a web server needs to do are so different in POSIX than it
> will be for us, that it is likely very hard to port it.  So we will put it in
> a POSIX box.  What capabilities do we give it?

Actually, Ben Laurie spent some time looking at this for Apache on EROS,
and concluded that the object structure of Apache makes this port
surprisingly straightforward. I suppose we will have to find out the
hard way.

Still, putting every program in a separate POSIX jail is likely to be
expensive.

shap