[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: setuid vs. EROS constructor
|
From: |
Michal Suchanek |
|
Subject: |
Re: setuid vs. EROS constructor |
|
Date: |
Mon, 24 Oct 2005 15:01:25 +0200 |
On 10/24/05, Bas Wijnen <address@hidden> wrote:
> On Mon, Oct 17, 2005 at 08:53:19AM -0400, Jonathan S. Shapiro wrote:
> > On Mon, 2005-10-17 at 11:17 +0200, Bas Wijnen wrote:
> > > This doesn't seem to be true. I thought all capabilities would be
> > > enpoints,
> > > but (at least in EROS) they aren't. With the scheme I described here, it
> > > would not be possible to guarantee confinement of xmms, because it needs a
> > > high priority scheduling capability.
> >
> > As long as this scheduling capability is authorized, it does not violate
> > confinement.
>
> The scheme I described didn't support authorization, it either gets external
> capabilities, or it doesn't. The confinement check you described (which is
> used in EROS) is much more flexible than that, and that seems very useful.
>
> > > If we don't want to give this capability
> > > to the user, xmms will be "setcapabilities" to achieve this, which will
> > > make
> > > the check fail.
> >
> > Yes, although we can use the extended "authorized holes" check to let
> > this pass.
>
> That would still need a trusted constructor, which is not something I planned.
> I was just claiming that the scheme I described sucks, and you seem to respond
> that all those problems don't occur with EROS constructors. I already knew
> that. ;-)
>
> > > For some reason I don't like the constructor approach though. I would
> > > prefer it if the default way of starting a new process would be to just do
> > > it directly. I don't really know why I prefer that, and it seems to
> > > prevent good things to happen. So it may not be a good idea.
> >
> > I don't know how, in principle, to start a process more directly.
>
> - Allocate some pages.
> - Fill them with code.
> - Ask the task server to make it a new process.
Here is the constructor:
/me points to the task server
The fact that it is weak and doed not provide much guarantee does not
make the process creation more direct in my eyes.
Thanks
Michal Suchanek
--
Support the freedom of music!
Maybe it's a weird genre .. but weird is *not* illegal.
Maybe next time they will send a special forces commando
to your picnic .. because they think you are weird.
www.music-versus-guns.org http://en.policejnistat.cz
- Re: setuid vs. EROS constructor, (continued)
- Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/25
- Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/25
- Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/25
- Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/25
- Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/25
- Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/25
- Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/13
- Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/17
- Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/17
- Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/24
- Re: setuid vs. EROS constructor,
Michal Suchanek <=
- Re: setuid vs. EROS constructor, Bas Wijnen, 2005/10/24
- Re: setuid vs. EROS constructor, Jonathan S. Shapiro, 2005/10/24