Launcher (privileged)

[bluejekyll]

Launcher is the only privileged Process in Vermilion.

In a military, this would be akin to the commander in charge of launching nuclear missiles (not that we ever want Vermilion ever used in this capacity). It is only their job to verify the request is authentic and not to determine the correctness or motivation behind the request. If the request is valid, it should be carried out (though all us humans would definitely prefer anyone in that position to ignore that command, and in this model, that is up to the Supervisor to determine).

Requirements:

• MUST spawn new Supervisors of Processes as requested by the Leader, e.g. Launcher does not actually launch the Process directly, that is the Supervisor.
• MUST cryptographically authenticate requests by the Leader
• SHOULD only perform actions at the request of the Leader
• SHOULD run with as minimal capabilities as possible, fork+exec, setuid, setgid.
• SHOULD restrict runtime of target process through some set of capabilities (see https://github.com/bluejekyll/vermilion/issues/1#issuecomment-554681449)
• SHOULD provide easier to use configuration for enabling and disabling capabilities
• SHOULD provide a tool (unprivileged) to list all options, and create initial configuration
• SHOULD provide a tool (unprivileged) to test capabilities of a Process
• SHOULD transfer all management responsibilities of the Process to the Supervisor, i.e. it should not be capable of directly controlling the Process after launch (capabilities may depend on operating system)

Notes:

• Leader: vermilion controller and coordinator
• Process: a resource managed by a Supervisor that does work.
• Supervisor: a Process monitor.