undefined | Better HN

0 pointskentonv10y ago0 comments

I knew someone would ask that.

So, the way I'd recommend doing the filename whitelist is by setting up a mount namespace. Create a tmpfs, create the necessary directory tree inside it, bind-mount each whitelisted path in the tmpfs to the real file, then pivot_root into the tmpfs. This sounds complicated but is actually not very much code, and again a library could make it easier.

But I think you could also do it with pure seccomp. The trick is to copy the filename list into memory pages that you subsequently mark read-only. Then, have your seccomp filter whitelist specifically pointers to those strings, and prohibit making the pages writable again.

(Disclaimer: I just came up with this on a whim, it probably needs more thought.)

0 comments

caf10y ago

You don't even have to copy the filenames around and mess with changing page permissions - simply doing:

  static const char * const dev_null = "/dev/null";

and then whitelisting the pointer dev_null is sufficient, because string literals are stored in the text section which is mapped read-only.

amluto10y ago

That only works if you've locked down mprotect, mmap, and munmap.

caf10y ago

Yes, the parent covered that.

MBCook10y ago

> Create a tmpfs, create the necessary directory tree inside it, bind-mount each whitelisted path in the tmpfs to the real file, then pivot_root into the tmpfs

You've made an excellent case for pledge("rpath", ["/dev/null"]);

kentonvOP10y ago

I am saying we can and should have a library that offers that interface, yes, but that having the lower-level building blocks available is also important.

j / k navigate · click thread line to collapse

0 pointskentonv10y ago0 comments

I knew someone would ask that.

(Disclaimer: I just came up with this on a whim, it probably needs more thought.)

0 comments

caf10y ago

You don't even have to copy the filenames around and mess with changing page permissions - simply doing:

  static const char * const dev_null = "/dev/null";

and then whitelisting the pointer dev_null is sufficient, because string literals are stored in the text section which is mapped read-only.

amluto10y ago

That only works if you've locked down mprotect, mmap, and munmap.

caf10y ago

Yes, the parent covered that.

MBCook10y ago

> Create a tmpfs, create the necessary directory tree inside it, bind-mount each whitelisted path in the tmpfs to the real file, then pivot_root into the tmpfs

You've made an excellent case for pledge("rpath", ["/dev/null"]);

kentonvOP10y ago

I am saying we can and should have a library that offers that interface, yes, but that having the lower-level building blocks available is also important.

j / k navigate · click thread line to collapse