Language Selection

English French German Italian Portuguese Spanish

Compartmentalized computing with CLIP OS

Filed under
OS
Gentoo

The design of CLIP OS 5 includes three elements: a bootloader, a core system, and the cages. The system uses secure boot with signed binaries. Only the x86 architecture was supported in the previous versions, and there are no other architectures in the plan for now. The core system is based on Hardened Gentoo. Finally, the cages provide user sessions, with applications and documents.

Processes running in separate cages cannot communicate directly. Instead, they must pass messages using special services on the core system; these services are unprivileged and confined on the cage system, but privileged on the core. These communication paths are shown in this architecture diagram from the documentation. Cages are also isolated from the core system itself — all interactions (system calls, for example) are checked and go through mediation services. The isolation between applications will be using containers, and the team plans to use the Flatpak format. The details of the CLIP OS 5 implementation are not available yet, as this feature is planned for the stable release.

A specific Linux security module (LSM) inspired from Linux-VServer will be used to add additional isolation between the cages, and between the cages and the core system. Linux-VServer is a virtual private server implementation designed for web hosting. It implements partitioning of a computer system in terms of CPU time, memory, the filesystem, and network addressing into security contexts. Starting and stopping a new virtual server corresponds to setting up and tearing down a security context.

Read more

More in Tux Machines

Best Audio Editors For Linux

You’ve got a lot of choices when it comes to audio editors for Linux. No matter whether you are a professional music producer or just learning to create awesome music, the audio editors will always come in handy. Well, for professional-grade usage, a DAW (Digital Audio Workstation) is always recommended. However, not everyone needs all the functionalities, so you should know about some of the most simple audio editors as well. In this article, we will talk about a couple of DAWs and basic audio editors which are available as free and open source solutions for Linux and (probably) for other operating systems. Read more

600 days of postmarketOS

postmarketOS is aiming for a ten year life-cycle for smartphones, see the all new front page for a short introduction if you are new around here. Today we'll cover what happened during the second half of 2018. Many have been wondering where we've been and why it took us so long to write a real update post. Is the project dead already? Weren't phone calls almost working? What happened? Development has been going on continuously, so we are not dead. Maybe a little undead though, like some of the old and forgotten phones we are trying to revive, because we have not really gotten any closer to the goal of getting telephony working or turning a phone into a daily driver. The Nexus 5, while booting mainline with accelerated graphics and connecting to the cellular modem all with a free software userspace, still does not have working audio. That is one example, other devices have different problems. However, we have not been sitting idle and doing nothing these past few months! Read more Also: Google hands out roses to preferred Android MDM vendors

Essential System Tools: Krusader – KDE file manager

This is the latest in our series of articles highlighting essential system tools. These are small, indispensable utilities, useful for system administrators as well as regular users of Linux based systems. The series examines both graphical and text based open source utilities. For this article, we’ll look at Krusader, a free and open source graphical file manager. For details of all tools in this series, please check the table at the summary page of this article. Krusader is an advanced, twin-panel (commander-style) file manager designed for KDE Plasma. Krusader also runs on other popular Linux desktop environments such as GNOME. Besides comprehensive file management features, Krusader is almost completely customizable, fast, seamlessly handles archives, and offers a huge feature set. Read more

Android Leftovers