sandbox != capability access control [LWN.net]

sandbox != capability access control

Posted May 19, 2006 0:14 UTC (Fri) by pimlott (subscriber, #1535)
In reply to: sandbox != capability access control by zooko
Parent article: .desktop files and security

I agree with the first sentiment--thanks, Jon, for pointing out Plash! I think this has better potential to improve security in practice than SELinux. I'm a little confused about your second statement, because I didn't think that sandboxing had such a narrow meaning. I think I even heard Alan Karp describe Polaris (on which Plash seems to be modeled in part) as a sandbox.

(Log in to post comments)

sandbox != capability access control

Posted May 19, 2006 3:40 UTC (Fri) by zooko (subscriber, #2589) [Link]

Perhaps Alan Karp did use that terminology. Indeed, the first sentence of http://plash.beasts.org says "Plash is a system for sandboxing GNU/Linux programs.".

However, Plash (and Polaris) are doing something new that the Java sandbox paradigm did not do, namely dynamically extending the privileges available to the constrained code by observing what actions the user is asking the constrained code to perform.

We ought to use different terminology in order to make it clear to people that Plash and Polaris are not merely another attempt at implementing the failed Java sandbox paradigm. I've already made this suggestion in private e-mail to Mark Seaborn (of Plash). Now I'll make the same suggestion to Alan Karp.

Regards,

Zooko

sandbox != capability access control

Posted Aug 9, 2006 18:41 UTC (Wed) by vonbrand (subscriber, #4458) [Link]

This is nonsensical... expand the limits according to what the user asks to be expanded? I.e., allow dancing pigs if asked?

sandbox != capability access control

Posted Aug 9, 2006 23:11 UTC (Wed) by zooko (subscriber, #2589) [Link]

Indeed. The idea is to allow dancing pigs, without thereby also allowing theft or destruction of your data, illicit use of your network, etc.

See "Polaris" and "plash" for examples.