[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

unreliable ".." and namespace protection

i've been trying to write a sort of firewall program
that wraps some namespace protection around an untrusted
program and warns about attempted illegal accesses.

  ns -r /usr/rog shellcommand

runs shellcommand in an environment where any attempt
to write any file under /usr/rog will fail, and generate
a warning message. (it does this by intercepting walk
messages and keeping track of the current directory
of each fid)

however it appears to be very difficult to do this reliably
due to difficulties with the behaviour of ".." in union directories.

for instance if i've done
  bind -a /usr/rog/dis /dis

  ns -r /sys {echo munge > /usr/rog/dis/../sys/importantfile}

will write quite happily to /sys/importantfile, because ns
thinks that the relevant fid is pointing to /usr/rog/sys/importantfile,
not /sys/importantfile.

my question is: given the list of mounts obtainable from /prog/$pid/ns
is it possible to work out reliably where a walk to ".." will take the
fid, or is it not worth trying ?