New toy: plash

I've been spending a bit of time playing with PLASH. Plash is a shell which grants the programs it runs access only to certain files. For example:

$ cat text

Because text appears on the command-line, the cat command is given read access to it (and nothing else). To get write access, you put => before the filename:

$ rm text
/bin/rm: cannot remove `text': Permission denied
$ rm => text
$

You can also give a process access to a file (or directory structure) without also passing its name as an argument. List such files after +, e.g.:

$ make 'all' + => .

all is quoted because it's not a filename. Here, we give make write access to the current directory (and any subdirectories).

The implementation is rather clever. It runs each process under a new randomly chosen temporary UID (so processes can't send signals like KILL to each other) and in a chroot jail containing just a copy of the dynamic linker. All files are opened using a modified libc, which gets them through a socket to a controlling process which can implement whatever namespace it likes.

Although it seems a bit buggy (see my list postings above) it has lots of promise. I'm surprised at how little interest it seems to have generated (the plash list archives are nearly empty). If they can just manage to secure X (not easy), it would also make an ideal sandbox layer for Zero Install. Dragging a file from ROX-Filer to an application would grant it read access on that file. Dragging the other way would grant it write access.

You can already run ROX-Filer using Plash and Zero Install:

$ rox -n + .cache ~/.Xauthority .config .icons Projects => /tmp

Here, ROX-Filer can only see my Projects directory and some standard files included by default (all read-only):

Attempting to delete anything (even from my home directory) will result in a 'Permission Denied' error, because I didn't use =>.

To actually be secure this would require more work: the restricted copy shown above has a connection to the X server, so it can send a SOAP message to the main filer process telling it to delete everything! Also, I need to allow 0launch write access to the cache without also giving the program it runs access (looks like this is possible using 'executable-objects'). Cool stuff, even in its current state, though!