From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sun, 4 Jan 2009 01:10:45 -0500 From: Nathaniel W Filardo To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-ID: <20090104061045.GJ8355@masters10.cs.jhu.edu> References: <4ecea8373f0b5925f40b657039695591@quanstro.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKy6e3LXpfmanBFM" Content-Disposition: inline In-Reply-To: <4ecea8373f0b5925f40b657039695591@quanstro.net> User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: [9fans] sendfd() on native Plan 9? Topicbox-Message-UUID: 7763ca8c-ead4-11e9-9d60-3106f5b1d025 --tKy6e3LXpfmanBFM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 04, 2009 at 12:48:08AM -0500, erik quanstrom wrote: > > > '#p' > > > allows any of my namespaces to debug processess in any other, '#s' is= too > > > global, and /net seems to allow any of my processes to manipulate any= of my > > > other processes' network connections (though I've not tested in detai= l to > > > see what's possible.) > >=20 > > So you're saying that (a) a jailed process should not have access to > > the #-devices at all and (b) their equivalent /proc, /srv and /net > > ought to be configured as part of the jail and should not be > > modifiable. >=20 > there is no special exception for #s, #I or #l. these cases are handled > already. RFNOMNT has been brought up repeatedly and, while it's certainly better than nothing, it is too harsh! It simultaneously: -> restricts access to kernel devices via # paths -> prevents any and all additional mount requests. Constructing a namespace without RFNOMNT that does not have #s (say) bound is not really securing #s (and its other consumers) against that namespace's actions. Constructing a namespace with RFNOMNT and without #s bound does at least two bad things: -> it makes it impossible to pass fds around between processes in this namespace, as there is now no /srv backing. -> it prohibits import of additional resources. The claim is that it might be useful to have namespaces where the mount table remained open to additional mounts (etc.) but for which the magic shortcut and proxy circumvention mechanism of #X was not available. --nwf; --tKy6e3LXpfmanBFM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAklgUuUACgkQTeQabvr9Tc/z7wCdEkyKK3E7ukpB4tJHiVjhArV/ eEIAn1lztgtuI+bV/fqFEbAX46DKkxnx =o11C -----END PGP SIGNATURE----- --tKy6e3LXpfmanBFM--