User: Password:
Subscribe / Log in / New account



Posted Nov 2, 2007 6:16 UTC (Fri) by njs (guest, #40338)
In reply to: Fixing CAP_SETPCAP by zooko
Parent article: Fixing CAP_SETPCAP

On that note, I actually agree with the article that "a capabilities-based distribution would
be interesting to see" -- except with, you know, real capabilities :-).

Unix has them, after all -- fds are exactly capabilities.  (A pipe is a kernel-space ring
buffer with two facets, etc.)  The model is a little inelegant because you have normal
numbered fds, the quasi-fds for "current directory" and "root directory" (all the syscalls
that take filenames are effectively calls against the interface these fds provides), and the
vast number of syscalls that are available to every process provides a little more exposure
than one would like... (kill(2), for instance, is annoying).  But these seem mostly solveable,
and in these days of bind mounts, FUSE, containers, etc., one could do pretty credible
POLA/capability-style containment with the stock Linux kernel and a custom userspace.

Plus it seems worthwhile to try, because capabilities are the best chance for surviving worms
and all the other wonderful conveniences of the modern internet, but so long as they only live
in pure-research OSes they aren't going anywhere.  Building on Linux gives you its existing
userspace to use as a base, and lets you move quickly to dealing with the real problems of
building a practical system that one can deploy, administer, etc.  (Eros is very cool, but how
the heck could one ever practically administer or even understand a system whose whole state
is a blob of gigabytes of memory tied together willy-nilly by pointers?)

(Log in to post comments)


Posted Nov 2, 2007 6:42 UTC (Fri) by njs (guest, #40338) [Link]

Err... ObOnTopic: Building a system like I describe is much easier given the existence of
CAP_SYS_CHROOT.  (Though another option would be to eliminate the root dir entirely by
chrooting everything to a designated unreadable/unwriteable/empty directory, and just using
openat() etc all the time.  ...Too bad there's no execat().)


Posted Nov 2, 2007 15:09 UTC (Fri) by zooko (guest, #2589) [Link]


Your idea sounds like Adam Langley's master's thesis:

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds