Navigation

Language Selection

Search

Compartmentalized computing with CLIP OS

Submitted by Roy Schestowitz on Thursday 8th of November 2018 07:22:34 PM Filed under

OS
Gentoo

The design of CLIP OS 5 includes three elements: a bootloader, a core system, and the cages. The system uses secure boot with signed binaries. Only the x86 architecture was supported in the previous versions, and there are no other architectures in the plan for now. The core system is based on Hardened Gentoo. Finally, the cages provide user sessions, with applications and documents.

Processes running in separate cages cannot communicate directly. Instead, they must pass messages using special services on the core system; these services are unprivileged and confined on the cage system, but privileged on the core. These communication paths are shown in this architecture diagram from the documentation. Cages are also isolated from the core system itself — all interactions (system calls, for example) are checked and go through mediation services. The isolation between applications will be using containers, and the team plans to use the Flatpak format. The details of the CLIP OS 5 implementation are not available yet, as this feature is planned for the stable release.

A specific Linux security module (LSM) inspired from Linux-VServer will be used to add additional isolation between the cages, and between the cages and the core system. Linux-VServer is a virtual private server implementation designed for web hosting. It implements partitioning of a computer system in terms of CPU time, memory, the filesystem, and network addressing into security contexts. Starting and stopping a new virtual server corresponds to setting up and tearing down a security context.

Login or register to post comments
Printer-friendly version
1786 reads
PDF version

More in Tux Machines

Tails 3.11 and Tor Transparency (Financials)

Tails 3.11 is out
[Tor] Transparency, Openness, and Our 2016 and 2017 Financials

After completing a standard audit for 2016, our 2016 federal tax filings and audit, along with our 2017 federal tax filings, are available. We publish all of our related tax documents because we believe in transparency.

The Year 2018 in Open Hardware and MIT's 3D Printer

The Year 2018 in Open Hardware

2018 saw several open hardware projects reach fruition. Where the open hardware movement goes from here, remains to be seen. 2018 was not “The Year of Open Hardware,” any more than it was the fabled “Year of the Linux Desktop.” All the same, 2018 was a year in which open hardware projects started to move from fundraising and project development to product releases. Many of these open products were traditional hardware, but 2018 also saw the release of innovative tech in the form of new and useful gadgets. In the background, open hardware hangs on to traditional niches. These niches occur at the intersection of altruism, hobbyists, academia, and the market, to say nothing of crowdfunding and the relative affordability of 3D printing. A prime example of this intersection is the development of prosthetics. Much of the modern work in open hardware began almost a decade ago with the Yale OpenHand project. At the same time, sites like Hackaday.io offer kits and specifications for hobbyists, while the e-NABLE site has become a place for exchanging ideas for everyone from tinkerers to working professionals in the field. As a result, open hardware technology in the field of prosthetics has grown to rival traditional manufacturers in a handful of years. This niche is a natural one for open hardware not only because of the freely available resources, but for simple economics. Traditionally manufactured prosthetic hands begin at about $30,000, far beyond the budgets of many potential customers. By contrast, an open hardware-based company like the UK based Open Bionics can design a cosmetically-pleasing hand for $200, which is still a large sum in impoverished areas, but far more obtainable. A non-profit called Social Hardware estimates that a need for prosthetic hands in India alone numbers 26,000 and hopes to help meet the demand by offering a development kit on which enthusiasts can learn and later donate their results to those who need them.
This MIT Developed 3D Printer Is 10 Times Faster Than Modern 3D Printers

3D printers have become more and more useful in the mass production of complex products that are cheaper and stronger. However, the only issue with 3D printing is its slow speed. These desktop 3D printers can print only one product at a time and only one thin layer at a making.
Accelerating 3-D printing

Imagine a world in which objects could be fabricated in minutes and customized to the task at hand. An inventor with an idea for a new product could develop a prototype for testing while on a coffee break. A company could mass-produce parts and products, even complex ones, without being tied down to part-specific tooling and machines that can’t be moved. A surgeon could get a bespoke replacement knee for a patient without leaving the operating theater. And a repair person could identify a faulty part and fabricate a new one on site — no need to go to a warehouse to get something out of inventory.

FreeBSD 12.0, FreeNAS 11.2 and DNSSEC enabled in default unbound(8) configuration

FreeBSD 12.0-RELEASE Announcement

The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 12.0-RELEASE. This is the first release of the stable/12 branch.
FreeNAS® 11.2 Release Brings New Web Interface, Virtualization, and Security Features To The World’s Number One Software-Defined Storage
DNSSEC enabled in default unbound(8) configuration

Programming: Linux Direct Rendering Manger Subsystem, Python, QtCreator CMake, Rust and More

The Linux Direct Rendering Manger Subsystem Poised To Have A Second Maintainer

For hopefully helping out with code reviews and getting code staged in a timely manner before being upstreamed to the mainline Linux kernel, Daniel Vetter of the Intel Open-Source Technology Center is set to become a co-maintainer. Daniel Vetter who has been with Intel OTC for a number of years working on their Linux graphics driver has proposed becoming a DRM co-maintainer, "MAINTAINERS: Daniel for drm co-maintainer...lkml and Linus gained a CoC, and it's serious this time. Which means my [number one] reason for declining to officially step up as drm maintainer is gone, and I didn't find any new good excuse."
Discovering the pathlib module

The Python Standard Library is like a gold mine, and the pathlib module is really a gem.
QtCreator CMake for Android plugin

It’s about QtCreator CMake for Android! I know it’s a strange coincidence between this article and The Qt Company’s decision to ditch QBS and use CMake for Qt 6, but I swear I started to work on this project *before* they announced it ! This plugin enables painless experience when you want to create Android apps using Qt, CMake and QtCreator. It’s almost as easy as Android Qmake QtCreator plugin! The user will build, run & debug Qt on Android Apps as easy as it does with Qmake.
Testing Your Code with Python's pytest, Part II
Top Tips For Aspiring Web Developers

As we’re a portal geared towards open-source development, we’re naturally going to bang the drum about the benefits of getting involved in open-source projects. There are so many fantastic open-source projects that are still going strong today – WordPress, Android and even Ubuntu/Linux to name but a few. Open source projects will give you direct hands-on experience, allowing you to build your own portfolio of work and network with other like-minded developers too.
Announcing Rust 1.31 and Rust 2018

The Rust team is happy to announce a new version of Rust, 1.31.0, and "Rust 2018" as well. Rust is a programming language that empowers everyone to build reliable and efficient software.
A call for Rust 2019 Roadmap blog posts

It's almost 2019! As such, the Rust team needs to create a roadmap for Rust's development next year.
Processing CloudEvents with Eclipse Vert.x

Our connected world is full of events that are triggered or received by different software services. One of the big issues is that event publishers tend to describe events differently and in ways that are mostly incompatible with each other. To address this, the Serverless Working Group from the Cloud Native Computing Foundation (CNCF) recently announced version 0.2 of the CloudEvents specification. The specification aims to describe event data in a common, standardized way. To some degree, a CloudEvent is an abstract envelope with some specified attributes that describe a concrete event and its data.

Latest News

today's leftovers

Director v1.6.0 is available

Icinga Director v1.6.0 has been released with Multi-Instance Support, Configuration Baskets and improved Health Checks. We’re excited to announce new features that will help you to work more efficiently.
Fedora Looks To Build Firefox With Clang For Better Performance & Compilation Speed

Following the move by upstream Mozilla in switching their Linux builds of Firefox from being compiled by GCC to LLVM Clang, Fedora is planning the same transition of compilers in the name of compilation speed and resulting performance. FESCo Ticket 2020 laid out the case, "Mozilla upstream switches from gcc to clang and we're going to follow upstream here due to clang performance, maintenance costs and compilation speed. Tom Stellard (clang maintainer) has asked me to file this ticket to comply with Fedora processes."
Work in progress: PHP stack for EL-8
Sandwich-style SBC offers four 10GbE SFP+ ports

SolidRun’s “ClearFog CX 8K” SBC is built around a “CEx7 A8040” COM Express Type 7 module that runs Linux on a quad -A72 Armada A8040. Features include 4x 10GbE SFP+ ports and mini-PCIe, M.2, and SATA expansion. In August, SolidRun updated its ClearFog line of Linux-driven router boards with a high-end ClearFog GT 8K SBC with the same 2GHz, quad-core, Cortex-A72 Marvell Armada A8040 SoC found on its MacchiatoBIN Double Shot Mini-ITX board. Now, the company has returned to the headless (no graphics) Armada A8040 with the ClearFog CX 8K. [..] It’s rare to see an Arm-based Type 7 module.
Watch Out: Clicking “Check for Updates” Still Installs Unstable Updates on Windows 10

Microsoft hasn’t learned its lesson. If you click the “Check for Updates” button in the Settings app, Microsoft still considers you a “seeker” and will give you “preview” updates that haven’t gone through the normal testing process. This problem came to everyone’s attention with the release of the October 2018 Update. It was pulled for deleting people’s files, but anyone who clicked “Check for Updates” in the first few days effectively signed up as a tester and got the buggy update. The “Check for Updates” button apparently means “Please install potentially updates that haven’t gone through a normal testing process.”

OSS Leftovers

DAV1D v0.1 AV1 Video Decoder Released

Out today is DAV1D as the first official (v0.1) release of this leading open-source AV1 video decoder. This release was decided since its quality is good enough for use, covers all AV1 specs and features, and is quite fast on desktop class hardware and improving for mobile SoCs.
PikcioChain plans for open-source MainNet in roadmap update

France-based PikcioChain, a platform designed to handle and monetize personal data, has announced changes to its development roadmap as it looks towards the launch of its standalone MainNet and block explorer in the first quarter of 2019.
New Blockstream Bitcoin Block Explorer Announces The Release Of Its Open Source Code Esplora

Blockstream has just announced a release of Esplora, its open source software. This is the software that keeps the website and network running. This new release follows on the heels of its block explorer that was released in November to the public. The company released the block explorer, and after making sure it was successful, released the code behind that block explorer. This way, developers can easily create their block explorers, build add-ons and extensions as well as contribute to Blockstream.info.
Will Concerns Break Open Source Containers?

Open source containers, which isolate applications from the host system, appear to be gaining traction with IT professionals in the U.S. defense community. But for all their benefits, security remains a notable Achilles’ heel for a couple of reasons. First, containers are still fairly nascent, and many administrators are not yet completely familiar with their capabilities. It’s difficult to secure something you don’t completely understand. Second, containers are designed in a way that hampers visibility. This lack of visibility can make securing containers extremely taxing.
Huawei, RoboSense join group pushing open-source autonomous driving technology

Telecommunications equipment giant Huawei Technologies, its semiconductor subsidiary HiSilicon and RoboSense, a maker of lidar sensors used in driverless cars, have become the first Chinese companies to help establish an international non-profit group that supports open-source autonomous driving projects. The three firms are among the more than 20 founding members of the Autoware Foundation, which aims to promote collaboration between corporate and academic research efforts in autonomous driving technology, according to a statement from the group on Monday. The foundation is an outgrowth of Autoware.AI, an open-source autonomous driving platform that was started by Nagoya University associate professor Shinpei Kato in 2015.
40 top Linux and open source conferences in 2019

Every year Opensource.com editors, writers, and readers attend open source-related conference and events hosted around the world. As we started planning our 2019 schedules, we rounded up a few top picks for the year. Which conferences do you plan to attend in 2019? If you don't see your conference on this list, be sure to tell us about it in the comments and add it to our community conference calendar. (And for more events to attend, check out The Enterprisers Project list of business leadership conferences worth exploring in 2019.)
Adding graphics to the Windows System for Linux [Ed: CBS is still employing loads of Microsoft boosters like Simon Bisson, to whom "Linux" is just something for Microsoft to swallow]/
Kong launches its fully managed API platform [Ed: Typical openwashing of APIs, even using the term "open source" where it clearly does not belong]g
How Shared, Open Data Can Help Us Better Overcome Disasters

WHEN A MASSIVE earthquake and tsunami hit the eastern coast of Japan on March 11, 2011, the Fukushima Daiichi Nuclear Power Plant failed, leaking radioactive material into the atmosphere and water. People around the country as well as others with family and friends in Japan were, understandably, concerned about radiation levels—but there was no easy way for them to get that information. I was part of a small group of volunteers who came together to start a nonprofit organization, Safecast, to design, build, and deploy Geiger counters and a website that would eventually make more than 100 million measurements of radiation levels available to the public. We started in Japan, of course, but eventually people around the world joined the movement, creating an open global data set. The key to success was the mobile, easy to operate, high-quality but lower-cost kit that the Safecast team developed, which people could buy and build to collect data that they might then share on the Safecast website.

Security: Updates, Ransomware, and DNS Blame Misplaced

Security updates for Tuesday
Ransomware still dominates the global threat landscape

Ransomware attacks continues as the main world’s main security threat and the most profitable form of malware, but a new global report indicates that despite “copious” numbers of infections daily there’s emerging signs the threat is no longer growing.
Someone messed with Linux.org's DNS to deface the website's homepage [Ed: That's not "deface"' but more like redirect and it's not the site's DNS system but something upstream, another company that's at fault]

SO IMAGINE YOU REALLY LOVE OPEN SOURCE; you've poured yourself a glass of claret from a wine box and have settled into a night of perusing Linux.org. You feel a tingle of excitement as you type in the URL - you're old skool - but that sours to despair as you see a defaced website greet your eyes. Yep, it looks like someone managed to get into the Linux.org website's domain name service (DNS) settings and point the domain to another server that served up a defaced webpage, which depending on when you may have accessed it, greeted visitors with racial slurs, an obscene picture and a protest against the revised Linux kernel developer code of conduct.

Syndication & Social Media

Follow the site via RSS/Twitter.

Full RSS:

RSS feeds for particular topics are also available

Twitter:

Content (where original) is available under CC-BY-SA, copyrighted by original author/s.

Tux Machines is proud to be hosted by

Support Tux Machines

Help Support TM
Wall of Appreciation

Linux Gizmos

Linux Today

LinuxSecurity.com Advisories

More on Tux Machines: About ● Gallery ● Forum ● Blogs ● Search ● News ● RSS Feed

Part of Bytes Media ● Sister sites below.

Linux.com

DW Latest Releases

Phoronix

Content available under CC-BY-SA

Navigation

Language Selection

Search

Tux Machines Section/s

Authors Information

DistroWatch

LWN

LXer

OpenSource.com

Active forum topics