POSIX - How To Ruin A Perfectly Good Container

Ben Laurie's great rant about POSIX and need for object-capabilities. In short, the old threat model was untrusted tenants, trusted software, unit of protection is files and devices. The new threat model is trusted tenants, untrusted software, unit of protection is individual data items. Yet we are still trying to bend the security systems of the 60s to fit this new world. It doesn’t work very well, because the controls we need to exercise are no longer at the levels of files or devices. They are now really at the level of services and data. ACLs in Unix have nothing to say about services and data. Even if they did, they would have to be very different kinds of ACLs from the ones we are used to. So what do we do about this? We make containers. We say “well, there’s just too much going on on the whole computer to reason about what this software can do, so let’s isolate it from the computer and just give it the stuff it needs in a container”. This is the start of a great plan. post