flowpriv

This is different from "capabilities" because it does not deal with elevated privileges. Files are never given specific privileges, but may only drop those that are by default bestowed upon them. Additionally, "capabilities" do not offer the sort of privilege resignation that flowpriv does.

It's also different from systrace in that it does not burden the system administrator, but the programmer. Programmers may modify their software to drop privileges when they are no longer needed, and they may design their programs to use restricted environments more effectively. Just as some programmers use chroot(2) and setuid(2) services, so may they use this privilege interface. This enables a program to lean further towards the idea of "secure by default", rather than "secure by much learned effort".

implementation

Other modifications (i.e. privilege checks) will be added to individual functions, requiring that this be a patch, not a module. The reasoning here is as follows.

Firstly, simple variable checks within each function will execute faster than calling a separate function and passing the necessary data. All local variables are readily available as necessary; if one wishes to block writable open calls, there need not be a specialized argument for passing function call flags (which would then need to be cast to a function-specific structure). Doing so would add unnecessary complexity and waste cpu cycles. Inline privilege checking should yield an extremely small performance footprint.

Secondly, offering this as a module would be counterproductive. Programmers will be less likely to adopt and use this new interface, and it would never become widespread. If it goes unused, none are worse; if it's used effectively, everyone benefits. That's not to say it shouldn't be a compile-time option, but i believe the compile-time option should be something akin to "options NOFLOWPRIV" instead of "options FLOWPRIV".

supported operating systems

There is a proof-of-concept patch available here. This patch is for the FreeBSD 5.1-RELEASE-p2 kernel, which is currently available via CVSup as RELENG_5_1. In this patch, the creation of regular files is restricted.

Any statement of design herein may be challenged. Nothing is yet static.

programming notes and questions

• Privilege additions to the proc structure will be present within every process on the system. The smaller the memory footprint, the better. Function flags should be bits, not characters or integers. The resultant increase in proc structure size is estimated at approximately four bytes.
• The interface should be based on classification, not functions. Kernel functions are not portable; classifications are. An example of a classification would be the equivalent of "drop mode-changing permissions", potentially affecting chmod, chflags, fchflags, and fchmod.
• How granular should classifications be? [e.g. "drop mode-changing permissions for files that are not currently open", affecting chmod and chflags, but not fchmod or fchflags.]
• Should functions that are only accessible to root be included? This would be useful if, say, a process needed to keep root privileges for some reason, but wanted to relinquish certain tasks. Similar functionality is already covered with "capabilities", but including it here would create a uniform interface.
• Currently, the plan is to patch 5.1-CURRENT. However, patching 5.1-RELEASE would enable a number of users to keep a synchronized kernel version somewhat more easily, so that patch testing can work more smoothly. The nature of this patch would allow later porting to the -CURRENT branch relatively painlessly. For these reasons, working against 5.1-RELEASE may be more desirable.
• While i have already made a number of preliminary design decisions, i have not yet put them all on tap. They will be discussed on the flowpriv mailing list, and will be added subsequently.