[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-tech-kern
Subject:    Re: Capsicum: practical capabilities for UNIX
From:       David Young <dyoung () pobox ! com>
Date:       2010-10-26 17:10:20
Message-ID: 20101026171020.GP7646 () ojctech ! com
[Download RAW message or body]

On Tue, Oct 26, 2010 at 01:04:30PM +0200, Jean-Yves Migeon wrote:
> 
> On Mon, 25 Oct 2010 20:13:16 -0500, David Young <dyoung@pobox.com> wrote:
> > I've been wondering if the dynamic linker could simulate access to
> > the global namespace by supplying alternate system-call stubs.  Say
> > rtld-elf-cap supplies its own open(2) stub, for example, that searches
> > Capsicum's fdlist for a suitable file descriptor on which to call
> > openat(2):
> > 
> > int
> > open(const char *path, int flags, mode_t mode)
> > {
> > 	const char *name;
> > 	int fd;
> > 
> > 	for (name, fd in fdlist) {
> > 		if (path is-under-directory name)
> > 			return openat(fd, path, flags, mode);
> > 	}
> > 	errno = ENOENT;
> > 	return -1;
> > }
> 
> That would only work with dynamic executables. Sandboxing static
> executables that way will not work.

Good point.

Perhaps the C-language syscall stub for open(2) in libc.a (is it a
figment of my imagination?) can do the dance I describe above if the
syscall returns ENOTCAPABLE?

> Anyway, that's a possibility. I know someone that is working on something
> in this area, but it uses SECCOMP from Linux, and a syscall interception
> method (intent is to avoid patching code in the binary) [1]

I'll have a look at that, thanks.

Dave

-- 
David Young             OJC Technologies
dyoung@ojctech.com      Urbana, IL * (217) 278-3933
[prev in list] [next in list] [prev in thread] [next in thread]