Not logged in
Log in now
Create an account
Subscribe to LWN
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Little things that matter in language design
For example, MMORPG might have full access to DRI/DRM stack, PulseAudio but very limited access to filesystem. I can do this right now with AppArmor, but it's a bit clumsy in that regard.
Or I might want to be able to pass file handles to seccomped sandbox while it's running.
I don't really mind statefulness in syscall firewall if it helps. Just as I don't mind it in iptables.
Seccomp filters: permission denied
Posted May 27, 2011 13:40 UTC (Fri) by talex (subscriber, #19139)
If so, you don't need any fancy custom syscall rules, just the ability to pass file descriptors to sandboxed processes (so the MMORPG either starts with DRI access before dropping privileges, or starts with a Unix-domain socket over which it can request it from another user-space process).
It seems to me that the only calls we really need to block are the ones that operate on global namespaces rather than on descriptors (e.g. open, connect, kill).
Posted May 27, 2011 14:07 UTC (Fri) by Cyberax (✭ supporter ✭, #52523)
Won't work. MMORPG also needs to read assets, so it must have access to a part of the filesystem. Also, it might need write access to local preferences storage.
OpenGL drivers also might need to have read access.
Posted May 27, 2011 15:24 UTC (Fri) by talex (subscriber, #19139)
But with Linus' suggestion ("new flags to pathname lookup that say "don't follow symlinks" and "don't follow '..'""), you could allow openat calls and pass in the FD for the subdirectory you wanted it to access, I think.
(Plash doesn't allow processes to hold a directory FD because that would allow them to escape Plash's sandbox, but seccomp mode doesn't need to worry about that. http://plash.beasts.org/wiki/DirectoryFDs)
Posted May 27, 2011 15:47 UTC (Fri) by nybble41 (subscriber, #55106)
Posted May 27, 2011 15:57 UTC (Fri) by Cyberax (✭ supporter ✭, #52523)
So they'll probably going to write a 'filesystem server' which will have to do path sanitizing, permission checking and so on. Then one might think, why not write something like PulseAudio - a central filesystem server that can be reused by various software so each software won't have to reinvent it. Do you see where we're heading?
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds