Hi, On 1/16/24 03:55, Simon McVittie wrote:
I would personally like to see *more* privilege separation across IPC boundaries rather than less, if that can reduce the total attack surface of the setuid/setcap executables in the trusted computing base.
Yes, however there is a downside to building IPC microservices this way: we are now dynamically building trust chains, and the entire chain is not visible as the orchestrator can only witness individual connections between black boxes (same as socket activation hides dependencies between services).
So we might have a component that has no special capabilities, but it is privileged by the trust relationship from other components, which may in turn have capabilities. Such components with incoming trust relationships would _also_ have to be written with minimal dependencies, and lots of mitigation code -- so while we're reducing the impact of a breach, I fear we're increasing attack surface by adding more privilege domains, and declaring some of them as "less critical".
Simon