Re: [9fans] unmount - Charles Forsyth

9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed

From: Charles Forsyth <charles.forsyth@gmail.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] unmount
Date: Tue,  1 Dec 2015 17:06:44 +0000	[thread overview]
Message-ID: <CAOw7k5iUfcn_3F4HfM9FaTjVbjgmpm3qPsRCsfAHb=u3ybbgLA@mail.gmail.com> (raw)
In-Reply-To: <491F5E4C-E68D-44A5-81A5-1C6BC5E8DC96@ar.aichi-u.ac.jp>

[-- Attachment #1: Type: text/plain, Size: 1447 bytes --]

On 1 December 2015 at 03:24, arisawa <arisawa@ar.aichi-u.ac.jp> wrote:

> current kernel allows unmount even if after rfork m.
> this feature makes sandboxing difficult.
> can anyone explain this feature is necessary?
>

For some applications, similar to ftp or http, I've built a name space
somewhere and then bound that to /.
As you say, that doesn't allow code to run that could unmount that binding.

The approach to encapsulate arbitrary code is similar to newns, perhaps
even using it:
to build a new name space from scratch (#/) that has just what's needed in
it,
prevent new # names from being bound into it using the rfork option, and
then the application can still rearrange
it using bind and unmount but can't escape.

One problem with the existing implementation is that the granularity of
some name space components is
too large. For instance, #p for /proc reveals the names and read-only data,
even if a process can't operate on them;
there's a special little hack to restrict "none", but it's not as clean as
it could be.
Another problem is that the set of # names allowed after RFNOMNT is built
in to the kernel.
There are several ways that could be improved, either through new
interfaces (eg, Roger Peppe's "attach files")
or new services to manage the existing scheme.
I think encapsulation through computable name spaces also ought to be
usable recursively, whereas RFNOMNT is either on or off.

[-- Attachment #2: Type: text/html, Size: 2255 bytes --]

next prev parent reply	other threads:[~2015-12-01 17:06 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-01  3:24 arisawa
2015-12-01  9:39 ` arisawa
2015-12-01 17:06 ` Charles Forsyth [this message]
  -- strict thread matches above, loose matches on Subject: below --
2003-02-24 19:51 rog
2003-02-24 20:08 ` rob pike, esq.

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAOw7k5iUfcn_3F4HfM9FaTjVbjgmpm3qPsRCsfAHb=u3ybbgLA@mail.gmail.com' \
    --to=charles.forsyth@gmail.com \
    --cc=9fans@9fans.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).