Fine Grained Access Policy (FGAP)

Introduction

This project will extend the existing Process Rights Management infrastructure in Solaris so that specified objects can be associated with individual privileges. The current Solaris privilege model does not allow one
 to express policy requirements such as:

• only allow binding to port 80/tcp

 only allow read access to file foo*

• only allow write access under $HOME/.mozilla

This project will support additional,
otherwise privileged operations, in a restricted manner, according to
a configurable policy.  It should be compatible with current Solaris policies;
applications which assert specific privileges will continue to
work.

 It should be possible to leverage the resulting policy
 exception mechanism through the Service Management Facility by specifying the policy
 in a service's manifest. Additionally, we plan to provide a mechanism
 to "sandbox" applications running under user accounts,
 by first removing ``basic'' privileges and then granting
 them on a case-by-case basis.  To this end, the set
 of basic privileges may need to grow to include binding
 to any network port, modifying any filesystem object, etc.

 As part of this project, we will also take a closer look at
 the implementation of profile shells in order to address
 some of their deficiencies:

• the requirement to add profile shell support code to every shell

• the inability to run internal commands as profiled commands or to add additional privileges to file redirects in profile shells.

 The intent is to be able to express, via a process attribute,
 that execution of child processes is subject to applicable rights profiles,
 rather than relying on modified shells.