User:ScotXW/Sandboxes on Linux
Sandboxes on Linux looks at the different mechanisms there are to implement sandbox on Linux = Linux kernel-based family of operating systems. With regard to the article sandbox being a pile of crap: July 2014 it is hard to document these software project, since we cannot just refer to the article to explain the underlying mechanisms and their merits. I doubt Wikipedia will ever attract good writers... its not the money, its the idiots being around here, and throwing money at it, will not help. Best follow Helmuth von Moltke the Elder advise and send them far far away...
- I think User:ScotXW/Virtualization introduced sandboxes and containers. If there is a difference between a sandbox and a container, I guess sandbox = for 1 application, container = for n applications. Sandbox was originally only for security, but nothing speaks against applying resource management to it.
- Linux Security Modules
- Capsicum: originally proposed 2010 at USENIX Security Symposium in a paper named "Capsicum: practical capabilities for UNIX" by Robert N. M. Watson (University of Cambridge) Jonathan Anderson (University of Cambridge) Ben Laurie (Google UK Ltd.) Kris Kennaway (Google UK Ltd.)[2] As the name sugggest it targets UNIX® (not "unix-like" or Ronald MacDonald). An implementation was written for FreeBSD and mainlined there in 9.0.[3] This could make Capsicum available in the PlayStation 4 system software, which was forked from FreeBSD 9.0. In July 2014, some people proposed to do Capsicum for the Linux kernel.[4]
2010 – Capsicum: Practical Capabilities for UNIX on YouTube FOSDEM 2014: Capsicum - kdbus/cgroups/systemd – Lennart Poettering et al. have been working on a Sandbox/Container based on these Linux kernel components. As of July 2014 kdbus is ready, but still waits to be accepted into Linux kernel mainline. This solution should give security AND resource management. Something klik-like could augment .deb and .rpm; by abandoning shared libraries, this could solve the problem of a missing widely-adopted Linux ABI and the not free enough problem. Abandoning "share libraries" removes test cases from them, this is bad, but maybe having to package the same software is more bad. Rigs of Rods is still not in the Debian repos. So we either make Linux people compile it, or serve klick-like packages to download next to the Window-install-package free for download.
- seccomp – mainlined 2.6.12 2005-03-08
Comparison
| Unified Video Decoder | — | — | — | — | UVD, UVD+, UDV 2 | UVD 2.2 | UVD 3 | UVD 4 | UVD 4.2 | TBA |
|---|---|---|---|---|---|---|---|---|---|---|
| Video Codec Engine | — | — | — | — | — | — | — | VCE 1.0 | VCE 2.0 | TBA |
| TrueAudio | — | — | — | — | — | — | — | — | Some | TBA |
| Max. № of displays | 1–2 | 2 | 2 | 2 | 2 | 2–6 | 4–6 | 2–6 | 2–6 | TBA |
| Max. resolution (px) | 4–6x 2560×1600 | TBA | ||||||||
| R100 | R200 | R300 R400 |
R500 | R600 R650 R700 |
Evergreen | Northern Islands | Southern Islands Sea Islands |
Volcanic Islands | Pirates Islands | |
| Released | Apr 2000 | Aug 2001 | Oct 2002 | Oct 2005 | May 2006 | Sep 2009 | Oct 2010 | Jan 2012 | Sept 2013 | TBA |
| Linux KMS driver[5] | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | — |
| FYI | Fixed pipeline | Unified shader model | ||||||||
| various | TeraScale | Graphics Core Next (Mantle) | TBA | |||||||
- ^ "Understanding the Access Control Model for Tizen Application Sandboxing". Archived from the original (PDF) on 2012-09-12.
- ^ "Capsicum: practical capabilities for UNIX" (PDF). 2010.
- ^ "Capsicum: practical capabilities for UNIX". LWN.net. 2012-02-22.
- ^ "Capsicum in the Linux kernel". LWN.net. 2014-07-01.
- ^ Airlie, David (2009-11-26). "DisplayPort supported by KMS driver mainlined into Linux kernel 2.6.33". Retrieved 2014-07-02.