[cap-talk] [tahoe-dev] Fwd: Don't put capabilities in argv?

Mark Seaborn mrs at mythic-beasts.com
Sun Jul 13 05:57:00 CDT 2008


"Jonathan S. Shapiro" <shap at eros-os.com> wrote:

> Folks, this is a problem that I believe plash had to solve. Before
> re-inventing wheels, why not go check out what Mark may have already
> done to solve it?

Plash lets you not grant /proc to sandboxed processes (and not
granting is the default).  So, by default, sandboxed processes cannot
list processes or find out other processes' argvs or environment
variables; "ps" will not work, because it uses /proc.

But Plash does not make sandboxed processes any more or less private
from other Unix users than unsandboxed processes.  So other users can
still read sandboxed processes' argvs and environment variables.

Plash does not use password capabilities, so thus far it has not been
a big problem.

If it turned out to be a problem for Plash, I could change the calling
convention for execve() so that argv and environment variables are
passed via a file descriptor so that they would not be visible in
/proc.  Plash already has to wrap execve().

If Plash were to implement a ptrace()-based jail, it might be
necessary to implement execve() in user space (see
http://plash.beasts.org/wiki/UserModeExec).  In that case it would be
easy to hide argv/env because the kernel would not know an exec had
taken place.

Mark


More information about the cap-talk mailing list