From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sun, 4 Jan 2009 00:58:30 -0500 From: Nathaniel W Filardo To: lucio@proxima.alt.za, Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-ID: <20090104055830.GI8355@masters10.cs.jhu.edu> References: <20090103235716.GG8355@masters10.cs.jhu.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="yzvKDKJiLNESc64M" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: [9fans] sendfd() on native Plan 9? Topicbox-Message-UUID: 775db5ac-ead4-11e9-9d60-3106f5b1d025 --yzvKDKJiLNESc64M Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 04, 2009 at 07:19:35AM +0200, lucio@proxima.alt.za wrote: > > '#p' > > allows any of my namespaces to debug processess in any other, '#s' is t= oo > > global, and /net seems to allow any of my processes to manipulate any o= f my > > other processes' network connections (though I've not tested in detail = to > > see what's possible.) >=20 > So you're saying that (a) a jailed process should not have access to > the #-devices at all and (b) their equivalent /proc, /srv and /net > ought to be configured as part of the jail and should not be > modifiable. Sounds about right. I'd say that they can be modifiable if new capabilities are sendfd()'d into the namespace, but yes. =20 > Plan 9 source often short-circuits the possibility that #-something is > not bound to the conventional place (#v comes to mind as a frequent > culprit) but that is a form of laziness that could be corrected by a > careful source audit. In which case it would be possible to treat #X > as another of those security issues that needed special treatment for > Factotum and have a kernel request that puts the #-space out of > bounds. Elsewhere in a different thread, eric grepped for explicit uses of #X paths and found very few. See <3598a04c733942f7f010ad61d83a8bc2@quanstro.net>. =20 > Would that satisfy your requirements? Oh, sure, I haven't ever used > #| directly and I'm a bit ignorant of consequences, but the rest seems > feasible. I suspect #| being an exception wouldn't hurt, though it might be viewed as a historical wart, being the only one... could #| be made to operate more like devdup and given a canonical mountpoint? > Another aspect I noticed is that what you seem to need is a > finer-grained construction of #p and #s, but being able to construct > them one layer further down the hierarchy might suffice. "one layer further down the hierarchy" ? > Just an uneducated opinion, I've had little occasion to study those > specific devices or the others in any detail. But I am curious of > where this discussion could lead. I too. --nwf; --yzvKDKJiLNESc64M Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAklgUAYACgkQTeQabvr9Tc8v3gCcDbp+6xpjM3NDU9Whj81nDyQ6 tL0AnjhUQ0WAm67MsYEWbaj3GqzZnVaw =Vykq -----END PGP SIGNATURE----- --yzvKDKJiLNESc64M--