DragonFly BSD
DragonFly kernel List (threaded) for 2003-07
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: dynamic /bin /sbin


From: Robert Watson <rwatson@xxxxxxxxxxx>
Date: Fri, 25 Jul 2003 20:24:26 -0400 (EDT)

On Fri, 25 Jul 2003, Peter da Silva wrote:

> Robert Watson wrote:
> > In a system oriented more around light-weight IPC, isolating those
> > components makes a lot of sense to me.  However, one of the big problems I
> > keep bumping into in OS X, from a security perspective, is a lack of a
> > trustworthy IPC namespace -- this will likely keep biting them in various
> > forms.  Given the discussion here of improving the IPC infrastructure for
> > a more message-passing oriented system, I hope the benefits of a
> > hierarchal and security-aware IPC namespace won't be lost.  :-)
> 
> Ah yes, using native dragonfly syscall style messages to implement IPC
> via LWKT messages gives us a place to at least start dealing with the
> security aspects of these things. I don't want to have to start
> packaging cryptographic tokens with ALL messages to identify the owners:
> you should just be able to ask the OS "who owns this VM object I was
> just handed? Shouls I be writing SECRETSTUFF into it?". 

Well, the problem I have specifically in mind is service discovery: one of
the nice things (yes, there are some) about UNIX domain sockets is that
they exist in a protected hierarchal namespace.  One of the problems that
exists in OS X is that services are looked up in a non-hierarchal
bootstrap namespace with few controls over use of the namespace.  If your
"foo" service provider dies, another process using the same namespace can
advertise the service.  One of the cool things about Mach is that you can
provide new namespaces wrapping old namespaces--one of the less cool
things about it is that you can't trust the namespace and that makes the
life of an application writer more difficult.

So, for example, you want to make sure that if you use a name to
rendezvous with your directory service, you want to make sure you can
ensure that name is properly protected from inappropriate use.  A
hierarchal namespace with permissions of some sort is one way to do that,
and might well make a good starting point if you start with a UNIX base.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@xxxxxxxxxxxxxxxxx      Network Associates Laboratories





[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]