[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
unreliable ".." and namespace protection
- To: inferno@interstice.com
- Subject: unreliable ".." and namespace protection
- From: Roger Peppe <rog@ohm.york.ac.uk>
i've been trying to write a sort of firewall program
that wraps some namespace protection around an untrusted
program and warns about attempted illegal accesses.
so:
ns -r /usr/rog shellcommand
runs shellcommand in an environment where any attempt
to write any file under /usr/rog will fail, and generate
a warning message. (it does this by intercepting walk
messages and keeping track of the current directory
of each fid)
however it appears to be very difficult to do this reliably
due to difficulties with the behaviour of ".." in union directories.
for instance if i've done
bind -a /usr/rog/dis /dis
then
ns -r /sys {echo munge > /usr/rog/dis/../sys/importantfile}
will write quite happily to /sys/importantfile, because ns
thinks that the relevant fid is pointing to /usr/rog/sys/importantfile,
not /sys/importantfile.
my question is: given the list of mounts obtainable from /prog/$pid/ns
is it possible to work out reliably where a walk to ".." will take the
fid, or is it not worth trying ?
cheers,
rog.
- Prev by Date: any Israeli companies doing Inferno
- Next by Date: Re: yacc available
- Prev by thread: Re: any Israeli companies doing Inferno
- Next by thread: inheritable file system objects, part 1: security
- Index(es):