Plash: tools for practical least privilege
2007/02/26: There is now a wiki for Plash: http://plash.beasts.org/wiki/. Documentation from this site is being gradually moved there.
Plash is a system for sandboxing GNU/Linux programs. Plash's aim is to protect you from the programs you run by letting you run them with the minimum authority and privileges they need do do their job -- this is the Principle of Least Authority (POLA). Plash can run programs in a secure, restricted execution environment with access to a limited subset of your files.
Plash can be used to run servers, command line tools, and applications with graphical user interfaces:
Plash virtualizes the file namespace, and provides per-process/per-sandbox namespaces. Plash grants access to files by mapping them into otherwise empty namespaces. This allows for fine-grained control over dependencies: You can link a program with specific versions of dynamic libraries by mapping individual files; or you can just map the whole /usr directory into the program's namespace.
Plash provides two main interfaces for granting access rights to sandboxed processes:
pola-shell is another way to launch sandboxed programs. It is a shell with syntax similar to the Bourne shell or Bash. It lacks many scripting features so is intended for interactive use only.
Plash's sandboxing mechanism works on unmodified Linux kernels (2.6, 2.4 and earlier) and can run normal Linux executables, provided they are dynamically linked.
Sandboxed processes do not use the kernel's filename-based system calls, such as "open". Plash effectively disables these system calls by putting the sandboxed process in a very minimal chroot() jail. (It also gives the sandboxed process a unique, dynamically-allocated UID and GID.)
Instead, a sandboxed process accesses the filesystem by making remote procedure calls (RPCs) across a socket to a server process. To open a file, the sandboxed process sends an "open" request containing the filename. The server process can send a file descriptor for a file across the socket in response.
Plash dynamically links sandboxed programs with a modified version of GNU libc (glibc), which replaces the filename-related calls (such as open()) so that they make RPCs across the socket instead of using the usual system calls. (See the table of glibc calls to see which functions are affected.)
In most cases this does not seriously affect performance because the most frequently called system calls, such as read() and write(), are not affected. Once a sandboxed program has opened a file and obtained a file descriptor for it, there is no further mediation by the server process, and it can use the normal system calls on the file descriptor.
See the architecture section for more details.
There is a mailing list for Plash, for announcements and general discussion. You can subscribe through the mailing list page, or by e-mailing email@example.com with "subscribe" in the subject line.
Another way to be notified of new releases is to subscribe to the project on its Freshmeat page.
Plash is strongly influenced by systems that use capability-based security. Plash itself uses a capability architecture, and the idea of a powerbox user interface comes from the same tradition.
There are two other existing systems that implement file powerboxes:
The powerbox concept appears to have first been proposed by Ka-Ping Yee and Miriam Walker in Interaction Design for End User Security (December 2000).
Plash has been influenced by the EROS operating system, a research system which is now being developed under the name CapROS. EROS is based on KeyKOS, which was proprietary. A successor to EROS is being designed, called Coyotos. Like EROS, Coyotos will be free software.
These additions are planned for the future:
Plash is free software, distributed under the GNU Lesser General Public Licence.