| |||||||||||||
Seccomp filters: permission deniedSeccomp filters: permission deniedPosted May 27, 2011 15:24 UTC (Fri) by talex (subscriber, #19139)In reply to: Seccomp filters: permission denied by Cyberax Parent article: Seccomp filters: permission denied
Plash solved that problem by sending "open" requests to a helper process, which checked against a policy, opened the file, and sent the FD back. It didn't even require recompiling the application (Plash just substituted a modified libc).
But with Linus' suggestion ("new flags to pathname lookup that say "don't follow symlinks" and "don't follow '..'""), you could allow openat calls and pass in the FD for the subdirectory you wanted it to access, I think.
(Plash doesn't allow processes to hold a directory FD because that would allow them to escape Plash's sandbox, but seccomp mode doesn't need to worry about that. http://plash.beasts.org/wiki/DirectoryFDs)
(Log in to post comments)
Seccomp filters: permission denied Posted May 27, 2011 15:47 UTC (Fri) by nybble41 (subscriber, #55106) [Link]
You would also need to disallow absolute paths, or use a chroot--blocking symlinks and '..' in the kernel's path resolver won't prevent an application from resolving the full path internally. The intended use seems more in line with improving the security of applications which are already trusted, as a guard against accidents.
Seccomp filters: permission denied Posted May 27, 2011 15:57 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
So we need to rearchitect MMORPG to separate IO requests into a separate process - which might be not easy for game developers writing portable code.
So they'll probably going to write a 'filesystem server' which will have to do path sanitizing, permission checking and so on. Then one might think, why not write something like PulseAudio - a central filesystem server that can be reused by various software so each software won't have to reinvent it. Do you see where we're heading?
Yep. Microkernels.
|
|||||||||||||