From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, T_SCC_BODY_TEXT_LINE,URIBL_CSS autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 14977 invoked from network); 28 May 2022 19:25:52 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 28 May 2022 19:25:52 -0000 Received: from pb-smtp21.pobox.com ([173.228.157.53]) by 9front; Sat May 28 15:24:22 -0400 2022 Received: from pb-smtp21.pobox.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id C5E9C18F030 for <9front@9front.org>; Sat, 28 May 2022 15:24:17 -0400 (EDT) (envelope-from unobe@cpan.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=message-id :to:subject:date:from:in-reply-to:mime-version:content-type :content-transfer-encoding; s=sasl; bh=U33QddID/wYLPOORFz8G3LtJl fRPSmM46fHWcEVgCfY=; b=aPPkyXWqXdyRjA9PD6RTw0olUSOPup+V2BItjOK3R wl/QVskg9H6MghlloDxRDg8cnuwbMvPtWAkYVUqO65xws+ydnRqz/PKhxG2f6h3Y aLrGWSLQ95Lj0qcaD2zV5cgh8R6lwmMygmQf5NTHYuw16yjLngBmemYXxBJXObOY KA= Received: from pb-smtp21.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id BF33318F02F for <9front@9front.org>; Sat, 28 May 2022 15:24:17 -0400 (EDT) (envelope-from unobe@cpan.org) Received: from strider.localdomain (unknown [72.105.225.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp21.pobox.com (Postfix) with ESMTPSA id 2E89D18F02C for <9front@9front.org>; Sat, 28 May 2022 15:24:14 -0400 (EDT) (envelope-from unobe@cpan.org) Message-ID: <6D0CAE9C3EDDCF15EF90F526821E14E6@smtp.pobox.com> To: 9front@9front.org Date: Sat, 28 May 2022 12:23:59 -0700 From: unobe@cpan.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Pobox-Relay-ID: C25C6F98-DEBB-11EC-BA92-CBA7845BAAA9-09620299!pb-smtp21.pobox.com List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: mobile hosting-based module Subject: Re: [9front] git: use new /dev/drivers for privdrop Reply-To: 9front@9front.org Precedence: bulk In general, how does one restrict computation/process limitations? I am admittedly ignorant, so if anyone has docs for me to read instead of replying that what I want to do is already solved or is a waste of time I'd appreciate it. I see proc(3) describes each process's status file as containing the user, amount of memory, and scheduling priority. So for unnecessary churn and limiting fork bombs, is the idea to have a monitor that watches the interested values (e.g. memory or number of processes) for a user, and kill if a certain amount has been reached? For example, say I want a sandboxing area for people to "try 9front". With moody's recent work, it removes a big attack vector by restricting certain drivers. But isn't it still possible to fork-bomb a server, or to just cause unnecessary churn (i.e., computation), or just open too many files, or fill a disk? To address the "fill a disk" scenario, I assume the best thing is to create a temporary disk that is used by the process which is provided to the test user--they'll only have so much space to work with. If there's no space to allocate for the new temporary disk, it's easy enough to stop the process from starting. Disk-resizing would be neat, but I don't care about that to start. Quoth ori@eigenstate.org: > This needs to be held off for a bit, but it seems > like a good idea: we shouldn't need any devices at > all for this code, so let's not keep them. > > ddiff 01a6de812c2fd38c9a28036300e3c2c7dc8441f5 uncommitted > --- a/sys/src/cmd/git/serve.c > +++ b/sys/src/cmd/git/serve.c > @@ -5,7 +5,7 @@ > > #include "git.h" > > -char *pathpfx = nil; > +char *pathpfx = "/"; > int allowwrite; > > int > @@ -469,6 +469,22 @@ > return 0; > } > > +void > +privdrop(void) > +{ > + int fd; > + > + if(rfork(RFNAMEG) == -1) > + sysfatal("rfork: %r"); > + if((fd = open("#c/drivers", OWRITE)) == -1) > + sysfatal("open drivers: %r"); > + if(bind(pathpfx, "/", MREPL) == -1) > + sysfatal("bind: %r"); > + if(write(fd, "chdev &", strlen("chdev &")) == -1) > + sysfatal("drop permissions: %r"); > + close(fd); > +} > + > char* > parsecmd(char *buf, char *cmd, int ncmd) > { > @@ -518,15 +534,8 @@ > }ARGEND; > > gitinit(); > + privdrop(); > interactive = 0; > - if(rfork(RFNAMEG) == -1) > - sysfatal("rfork: %r"); > - if(pathpfx != nil){ > - if(bind(pathpfx, "/", MREPL) == -1) > - sysfatal("bind: %r"); > - } > - if(rfork(RFNOMNT) == -1) > - sysfatal("rfork: %r"); > > initconn(&c, 0, 1); > if(readpkt(&c, buf, sizeof(buf)) == -1) >