Introduction
This project will extend the existing Process Rights Management infrastructure in Solaris so that specified objects can be associated with individual privileges. The current Solaris privilege model does not allow one
to express policy requirements such as:
- only allow binding to port 80/tcp
only allow read access to file foo*
- only allow write access under $HOME/.mozilla
This project will support additional,
otherwise privileged operations, in a restricted manner, according to
a configurable policy. It should be compatible with current Solaris policies;
applications which assert specific privileges will continue to
work.
It should be possible to leverage the resulting policy
exception mechanism through the Service Management Facility by specifying the policy
in a service's manifest. Additionally, we plan to provide a mechanism
to "sandbox" applications running under user accounts,
by first removing ``basic'' privileges and then granting
them on a case-by-case basis. To this end, the set
of basic privileges may need to grow to include binding
to any network port, modifying any filesystem object, etc.
As part of this project, we will also take a closer look at
the implementation of profile shells in order to address
some of their deficiencies:
- the requirement to add profile shell support code to every shell
- the inability to run internal commands as profiled commands or to add additional privileges to file redirects in profile shells.
The intent is to be able to express, via a process attribute,
that execution of child processes is subject to applicable rights profiles,
rather than relying on modified shells.