From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: David Drysdale <drysdale@google.com>,
Andy Lutomirski <luto@amacapital.net>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: RFC: fsyscall
Date: Thu, 10 Sep 2015 08:35:43 -0500 [thread overview]
Message-ID: <20150910133543.GB27602@mail.hallyn.com> (raw)
In-Reply-To: <87a8svcrr9.fsf@x220.int.ebiederm.org>
On Wed, Sep 09, 2015 at 02:33:14PM -0500, Eric W. Biederman wrote:
...
> If I assume that anything file descriptor based will need another
> mechanism to filter what is allowed on a file descriptor, and as such
> will need a different mechanism (capsicum perhaps?). That handily
> reduces the problem space, and removes almost all cases where reading
> data from userspace is interesting as I am talking about pure system calls.
>
> The list of system calls which are not file descriptor based are listed
> below. Most of those don't take weird parameter structures that would
> be interesting to filter. So I think my fsyscall idea is conceptually
> reasonable. It is not a complete solution for passing someone a well
> defined subset you are allowed to do but it is interesting.
...
> creat
Taking this as a specific example, I'm somewhat fond of the idea of
saying that we can support openat() as fd-based (let's say
capsicum-based as we know that can work), and therefore we don't need
open() or creat(). If you're designing an app so that you can fork a
task with a subset of your capabilities, then you're writing it now
anyway, so there is no reason for supporting open and creat. Since
these are specifically very subject to TOCTTOU, saying "you must use
openat()" seems ok.
-serge
next prev parent reply other threads:[~2015-09-10 13:35 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-08 22:35 RFC: fsyscall Eric W. Biederman
2015-09-08 22:55 ` Andy Lutomirski
2015-09-08 23:07 ` Eric W. Biederman
2015-09-08 23:18 ` Andy Lutomirski
2015-09-09 0:25 ` Eric W. Biederman
2015-09-09 17:27 ` David Drysdale
2015-09-09 19:33 ` Eric W. Biederman
2015-09-10 13:35 ` Serge E. Hallyn [this message]
2015-09-10 13:28 ` Serge E. Hallyn
2015-09-10 13:43 ` Serge E. Hallyn
2015-09-10 13:51 ` David Drysdale
2015-09-10 14:01 ` Serge E. Hallyn
2015-09-10 14:03 ` Serge E. Hallyn
2015-09-10 14:04 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150910133543.GB27602@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=drysdale@google.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox