Language Selection

English French German Italian Portuguese Spanish

Compartmentalized computing with CLIP OS

Filed under
OS
Gentoo

The design of CLIP OS 5 includes three elements: a bootloader, a core system, and the cages. The system uses secure boot with signed binaries. Only the x86 architecture was supported in the previous versions, and there are no other architectures in the plan for now. The core system is based on Hardened Gentoo. Finally, the cages provide user sessions, with applications and documents.

Processes running in separate cages cannot communicate directly. Instead, they must pass messages using special services on the core system; these services are unprivileged and confined on the cage system, but privileged on the core. These communication paths are shown in this architecture diagram from the documentation. Cages are also isolated from the core system itself — all interactions (system calls, for example) are checked and go through mediation services. The isolation between applications will be using containers, and the team plans to use the Flatpak format. The details of the CLIP OS 5 implementation are not available yet, as this feature is planned for the stable release.

A specific Linux security module (LSM) inspired from Linux-VServer will be used to add additional isolation between the cages, and between the cages and the core system. Linux-VServer is a virtual private server implementation designed for web hosting. It implements partitioning of a computer system in terms of CPU time, memory, the filesystem, and network addressing into security contexts. Starting and stopping a new virtual server corresponds to setting up and tearing down a security context.

Read more

More in Tux Machines

Type Title Author Replies Last Postsort icon
Story Android Leftovers Rianne Schestowitz 29/10/2020 - 9:56pm
Story Stereoscopic cam board taps Raspberry Pi CM4 Rianne Schestowitz 29/10/2020 - 9:51pm
Story 8 Tools to Easily Create a Custom Linux Distro Rianne Schestowitz 29/10/2020 - 9:41pm
Story today's leftovers Roy Schestowitz 29/10/2020 - 9:26pm
Story Hardware: Purism and More Roy Schestowitz 29/10/2020 - 9:22pm
Story Real-Time Patches Updated For Linux 5.9/5.10 With The Code Not Yet Mainlined Roy Schestowitz 29/10/2020 - 9:12pm
Story LibreOffice: Presentation Size Decreasing and New Presentations About LibreOffice Roy Schestowitz 1 29/10/2020 - 8:59pm
Story Red Hat Leftovers Roy Schestowitz 29/10/2020 - 8:54pm
Story AMD ROCm 3.9 and AMDVLK 2020.Q4.2 Vulkan Driver Roy Schestowitz 29/10/2020 - 8:50pm
Story Nvidia 455.38 Adds GeForce RTX 3070 Support, AMD Secure Memory Encryption Compatibility Marius Nestor 1 29/10/2020 - 8:45pm