[jeremy@sour.sw.oz.au (Jeremy Fitzhardinge) writes:]
>I suppose what I'm really saying is "I still don't really understand
>VSTa's permission/id system yet". Can you easily set up a filesystem
>or part of a tree so that that is the entire universe as far as
>one group of programs is concerned? It doesn't really matter if
>they can tell they're in a restricted domain, so long as they can't
>get out.
One idea I've toyed with is adding a bitmask to the system calls and another
bitmask to the process. A process could only invoke system calls if
((proc->p_mask & s->s_mask) != 0).
For your scenario, the msg_connect() system call should be disabled. The
process could then walk down current mount points, but could not access new
servers. Other possibilities are disabling fork()/tfork()/clone() (perhaps
a couple others). This would create an execution environment in which a
process could serve requests but not much else.
I see such restrictions as being mostly voluntary. A server would set up
the minimal environment needed and then cut off its ability to access
further resources. This would control damage in the event of a process
being compromised due to malicious access.
Andy
Received on Tue Mar 14 08:59:06 1995
This archive was generated by hypermail 2.1.8 : Thu Sep 22 2005 - 15:12:17 PDT