THe confinement problem is concerned with preventing a computaitonal service from divulging information entrusted to it. A model of computer protection is presented and used to formally define the problem and its relation to protection mechanisms. Two types of confinement, one concerned with preventing the direct sending of messages and the other with also preventing the use of covert channels, are explored. For both types, conditions sufficient to insure confinement in terms of the capabilities of computations are presented. The conditions make it possible to identify exactly those objects, if any, which can serve as potential channels. Means for plugging the potential channels are also discussed.