To be more generally useful, the process probably wants access to other system calls that simply access file descriptors, e.g. poll(). Passing file descriptors might also be desirable. Architectures with vsyscalls can do gettimeofday() from user space, but not every architecture implements it.
The great virtue of Andrea's mechanism is that it is rather difficult to get read()/write() wrong -- there's little in the way of syscall argument processing, with potential fence-post errors, etc.
But to provide additional functionality, one needs to implement an RPC mechanism to a managing process (talking over some file descriptor passed to the secured process) anyway, in which case one has to ask, which is more secure? As soon as the number of "RPC-like" services provided by the manager process multiplies, one has to worry about security in the manager process.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds