[olpc-nz] Fwd: [Sugar-devel] ANN: rainbow-0.8.5 release.

Martin Langhoff martin.langhoff at gmail.com
Mon Nov 30 05:05:06 EST 2009 

Hi NZers, BAers, Ghent'ers, all!

Michael Stone has been putting a lot of work into improving Rainbow,
the security isolation tool that we had in our OSs.

He is very keen on OLPC including this into the builds, but we don't
know whether it works, what rough edges it has, in short, how mature
it is, and how much work it'll take to include it.

Michael is hoping to see more feedback from testers (and OLPC is
hoping the same, as we're flat out finishing F11/XO-1.5...).

How to test? I'd suggest a start would be:

- Grab 2 XOs with the same F11 build (XO-1s with OS8 or the promised
OS10 will do).

- On one, install Rainbow as per the instructions
http://wiki.laptop.org/go/Rainbow/Installation_Instructions - grab the
latest source, as it's new from 2 days ago...

- Go through a smoketest with both, log the differences -- does
anything break in the Rainbow'd machine?

- Pester Michael with questions, congratulations, bugreports, etc...

Be kind, Michael is doing this on his own time, because he cares about
OLPC shipping with a good isolation tool.

cheers,



m

---------- Forwarded message ----------
From: Michael Stone <michael.r.stone at gmail.com>
Date: Sun, Nov 29, 2009 at 2:44 PM
Subject: Re: [Sugar-devel] ANN: rainbow-0.8.5 release.
To: Martin Langhoff <martin.langhoff at gmail.com>


On 11/29/09, Martin Langhoff <martin.langhoff at gmail.com> wrote:
> On Sun, Nov 29, 2009 at 12:27 AM, Michael Stone <michael at laptop.org> wrote:
>> This release was made possible by encouragement from Fabian Affolter, Luke
>> Faraone, Martin Langhoff, and my friends at sandboxing.org.
>
> Congrats on the release. You`re quite a character :)

You're a fine one to talk. :)

> Ok -- to ask something useful. If there was someone interested in
> re-integrating rainbow into the stack, beyond the obvious of packaging
> the latest release, what does the job look like?
>
> - an init script needs to be enabled?

No init scripts needed (yet) -- this is a pure exec-chain.

> - nss config

Yup, but that's a two-line sed script. (Maybe guarded by a one-line grep).

> - enabling something in sugar / reverting some patches?

See the "sugar+rainbow" section at the bottom of
http://wiki.laptop.org/go/Rainbow/Installation_Instructions. I haven't
tested these instructions since the cited sugar patches were merged a
few months back (though some six months after they were written!) so
they may have bitrotted a little bit. However, they shouldn't be too
hard to fix up. I expect that the biggest change will be the
additional one-line patch will be needed to add the "-o network"
option but that shouldn't be a big deal.

> - working through Sugar activities that may not be doing things in
> rainbow-compatible ways?

Yup, though this should be less effort than last time around, both due
to activities being cast from a different mold this year and due to
rainbow imposing fewer requirements than before.

> - other steps before it`s in a reasonable-enough shape to work?

Mostly depends on how you want to deal with the configuration changes
that are necessary to permit isolated activities to use D-Bus, GConf,
etc. After that, getting to the point where most activities launch is
fairly straightforward. Testing and fixing them is a bit more work but
we have a good database of what has broken in the past. Finally, we
would need to either revive the rainbow-gc garbage collection script
(not too hard; just haven't needed it yet myself) or to teach Sugar to
keep track of containers and to pass the "-r <uid>" option when it
wants to resume the activity contained by <uid>.

Questions?

Michael



-- 
 martin.langhoff at gmail.com
 martin at laptop.org -- School Server Architect
 - ask interesting questions
 - don't get distracted with shiny stuff  - working code first
 - http://wiki.laptop.org/go/User:Martinlanghoff

More information about the olpc-nz mailing list