top | item 25652908

(no title)

gue5t | 5 years ago

You're completely right, of course. Seeing the amount of effort put into virtualization, sandboxing, containers, etc. is enough to make one wonder why every enterprise is so shortsighted. Capabilities obviate all of the above, and are neither a new untested idea nor more complicated than what we have--as we clearly see in the repeated attempts to build things that approximate them with ACLs and sandboxes and seccomp rules and so on.

Linux is slowly moving toward capability-centric design with more and more comprehensive namespacing and file-descriptor-based interfaces to things like pidfd and memfd, but there's still a long way to go before we can jettison ambient authority such as the filesystem entirely. Meanwhile, Google's Fuchsia may deploy a capability-based operating system to the masses, but it will likely only be used to sandbox applications written for Android anyway. The real potential of capabilities is to simplify the interface of a power-user operating system by eliminating the race conditions, side channels, privacy leaks, firewalls, virus scanners, and unix-style permissions from developers' and users' day-to-day experience completely.

There will still be memory-safety zero days, of course, until we abandon languages where humans are statistically incapable of writing memory-safe code.

discuss

No comments yet.