From owner-freebsd-security@FreeBSD.ORG  Thu Jul 17 08:10:56 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5B097106564A
	for <freebsd-security@freebsd.org>;
	Thu, 17 Jul 2008 08:10:56 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 27A2D8FC08
	for <freebsd-security@freebsd.org>;
	Thu, 17 Jul 2008 08:10:56 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id 25DCD46B99;
	Thu, 17 Jul 2008 03:54:32 -0400 (EDT)
Date: Thu, 17 Jul 2008 08:54:31 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Patrick Proniewski <patpro@patpro.net>
In-Reply-To: <884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net>
Message-ID: <20080717085136.B87887@fledge.watson.org>
References: <f383264b0807161710m285ed915m8ea9d088fbe83df9@mail.gmail.com>
	<alpine.BSF.1.00.0807162303490.34772@treehorn.dfmm.org>
	<884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Liste FreeBSD-security <freebsd-security@freebsd.org>
Subject: Re: A new kind of security needed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jul 2008 08:10:56 -0000


On Thu, 17 Jul 2008, Patrick Proniewski wrote:

>> Absolutely.  Right now, I use different logins for different things (casual 
>> web surfing, financial stuff, snd work), but it's inconvenient and far from 
>> fullproof.
>> 
>> Capabilities or MAC systems could be used here -- someone just has to put 
>> in the work to make it happen.
>
> What about sandbox/chroot ? Apple has designed such a system for Mac OS X 
> 10.5, and even if it's not fully functional now, it's probably interesting.
>
> <http://developer.apple.com/documentation/Darwin/Reference/ManPages/man7/sandbox.7.html>

And, interestingly, the Mac OS X Sandbox parts are based on the TrustedBSD MAC 
Framework that was first developed on FreeBSD and later port to Mac OS X. 
However, Sandbox is not open source, and does rely on the reliability of 
pathnames, which on UFS (and even HFS+) is a bit of a tricky issue.

FWIW, I have some work in progress on the capability front, but it's a highly 
complex issue that will take years to work through properly.  Unfortunately, 
the real issue isn't so much the OS primitives as building up a non-trivial 
application base that uses them.  Providing primitives to subdivie 
applications isn't easy, but once you've done that you still have to rewrite 
lots of applications to take advantage of it, and in a way that shows a lot 
more application programmer discipline.  It's not clear to me that the 
pressure is there to make feature-driven application development for major 
desktop applications adopt techniques of this sort.

Robert N M Watson
Computer Laboratory
University of Cambridge