<div class="gmail_quote">2010/12/7 John Johansen <span dir="ltr"><<a href="mailto:john.johansen@canonical.com">john.johansen@canonical.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> On 12/06/2010 05:51 PM, <a href="mailto:fykcee1@gmail.com">fykcee1@gmail.com</a> wrote:<br> > 2010/12/7 John Johansen <<a href="mailto:john.johansen@canonical.com">john.johansen@canonical.com</a> <mailto:<a href="mailto:john.johansen@canonical.com">john.johansen@canonical.com</a>>><br> <br> The actual level of control has to be decided by the policy. You could just allow a few applications, or only applications that can live with in the rule set. If you are using more than one profile for a role then you will want to make sure all profiles are defined.<br> </blockquote><div>How to apply more than one profile to a role? </div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> Within the roles, inter role transitions are easy to control at the profile level. Eg. role A can transition to role B but not at the user level. ie. role A can transition to role B if the user is foo. This ability is coming it just hasn't hit yet. The goal has been get the base upstream and then getting the rest of the bits in place.<br> <br> If we are careful how we set this up, the user mappings can be shared by the profile and helper app, or pam module.<br></blockquote><div>Can I say we will have rules in profiles to describe:</div><div><ul><li>What role transition is permitted?</li> <li>Mapping user to roles.</li></ul><div><br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> 2. Just because a profile has been removed does not mean that is memory is immediately freed, profiles are reference counted and there may be references from kernel objects other than tasks that pin the profile in memory for a while after it has been removed.<br> </blockquote><div>Say if a program terminates, does it have any chance that the profile only for this program is automatically removed by kernel (i.e. the profile's reference count reaches 0)? If yes, will the kernel load the profile automatically when the program reruns?</div> <div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"> Sandboxing is an interesting problem, and yes you can do it per application or, have more generic sandboxes. It is something I have tinkered with but we haven't been able to provide the frame work yet to make it easy. This will come, but it will follow the next round of kernel patches.<br> </blockquote><div>I'm just thinking a sandbox model: each package installed in its own directory(something like nix package manager system). e.g. for firefox, installed at:</div><div><ul><li>/pkg/com.mozilla.firefox/bin/firefox</li> <li><meta http-equiv="content-type" content="text/html; charset=utf-8">/pkg/com.mozilla.firefox/lib/components/libbrowsercomps.so</li><li>...</li></ul><div>A program will freely access resources in its own directory, something like(for each in /pkg/*/bin/*):</div> </div><div>generic_sandbox_rules {</div><div> # SELF_DIR should point to /pkg/foo/bin/bar, I don't know whether we have such a <meta http-equiv="content-type" content="text/html; charset=utf-8">implicit variable currently, sorry.</div> <div> @{SELF_DIR}/../** rwxm</div><div>}</div></div><br>To access external resources(Dynamic link to libc, etc), the program needs extra rules:<div><ul><li>Include libraries's profiles</li><li>Add its own profile (e.g. requires socket )</li> </ul><div><br><div><br></div><div><br></div><div><br>-- <br>Regards,<div><br><div>- cee1</div></div><br> </div></div></div>