[Isolate-interest] Isolate root jail
Bernhard Fastenrath
bfastenrath@mac.com
Thu, 16 Sep 2004 23:46:22 +0200
This is a multi-part message in MIME format.
--------------090803000500030607080904
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Curt Cox wrote:
>>May I suggest to add a portable root jail to the isolate API?
>>
>>
>>The root jail could allow to chroot(2) an isolate and/or run the
>>I/O of native subprocesses through a Java SecurityManager,
>>using a user mode filesystem mechanism.
>>
>>
>
>Unless I miss your intent, the most reasonable API seems to be some
>mechanism for defining an additional SecurityManager for the isolate
>being created. The SecurityManager for the parent isolate would
>be applied first, so that an isolate can't create another with
>more privileges than it has.
>
>
That's a very good idea. The Isolate () constructor should allow to pass
a SecurityManager
to the isolate created as a child.
My suggestion goes a little further: The isolate should be able to
chroot(2) itself to a different
root filesystem (create a jail environment: Want to securely partition
VMs? One option is to put 'em in Jail.
<http://www.acmqueue.com/modules.php?name=Content&pa=showpage&pid=170>)
and to take this even a step futher, the jail could (optionally)
redirect its I/O through
a Java SecurityManager by using a user mode filesystem mechanism to
redirect I/O through
the Java virtual machine. Have a look at my Java filesystem page for
more information:
http://jvfs.sourceforge.net/
>This does bring up the subjects of Runtime.exec() and JNI.
>A security manager that allows either of those would allow the
>creation of an isolate with arbitrary privileges. So the
>existence of any security restrictions would need to disallow
>the use of both in order to actually be enforced.
>
>
A security manager could restrict the use of Runtime.exec() to
well-known commands
or put the commands into a Jail (see above). JNI can be restricted to
trusted libraries,
so there's no need to prohibit JNI altogether.
regards,
Bernhard
--
http://www.ikfk.de/idea.html, http://homepage.mac.com/bfastenrath/religion.html
Was du selbst nicht wuenschst, das tue auch anderen nicht an. (Konfuzius, Gespraeche, XII, 2) 551-479 BC
An hour of contemplation is better than a year of prayer. (Muhammad, La Mecque, vers 570 - Medine, 632)
How to become a vegetarian: Do not delegate a task if you might consider
it unethical if done by yourself.
Why don't you slaughter an animal yourself? (This is the intention
behind kosher and halal, but people, as usual, don't get it).
(http://www.ikfk.de/vegan.html)
--------------090803000500030607080904
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Curt Cox wrote:<br>
<blockquote cite="midE1C7x0J-0002VO-00@mailhost.tripos.com" type="cite">
<blockquote type="cite">
<pre wrap="">May I suggest to add a portable root jail to the isolate API?
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">The root jail could allow to chroot(2) an isolate and/or run the
I/O of native subprocesses through a Java SecurityManager,
using a user mode filesystem mechanism.
</pre>
</blockquote>
<pre wrap=""><!---->
Unless I miss your intent, the most reasonable API seems to be some
mechanism for defining an additional SecurityManager for the isolate
being created. The SecurityManager for the parent isolate would
be applied first, so that an isolate can't create another with
more privileges than it has.
</pre>
</blockquote>
That's a very good idea. The Isolate () constructor should allow to
pass a SecurityManager<br>
to the isolate created as a child.<br>
<br>
My suggestion goes a little further: The isolate should be able to
chroot(2) itself to a different<br>
root filesystem (create a jail environment: <a
href="http://www.acmqueue.com/modules.php?name=Content&pa=showpage&pid=170">Want
to securely partition VMs? One option is to put 'em in Jail.</a>)<br>
and to take this even a step futher, the jail could (optionally)
redirect its I/O through<br>
a Java SecurityManager by using a user mode filesystem mechanism to
redirect I/O through<br>
the Java virtual machine. Have a look at my Java filesystem page for
more information:<br>
<a href="http://jvfs.sourceforge.net/">http://jvfs.sourceforge.net/</a><br>
<blockquote cite="midE1C7x0J-0002VO-00@mailhost.tripos.com" type="cite">
<pre wrap="">This does bring up the subjects of Runtime.exec() and JNI.
A security manager that allows either of those would allow the
creation of an isolate with arbitrary privileges. So the
existence of any security restrictions would need to disallow
the use of both in order to actually be enforced.
</pre>
</blockquote>
A security manager could restrict the use of Runtime.exec() to
well-known commands<br>
or put the commands into a Jail (see above). JNI can be restricted to
trusted libraries,<br>
so there's no need to prohibit JNI altogether.<br>
<br>
regards,<br>
Bernhard<br>
<pre class="moz-signature" cols="72">--
<a class="moz-txt-link-freetext" href="http://www.ikfk.de/idea.html">http://www.ikfk.de/idea.html</a>, <a class="moz-txt-link-freetext" href="http://homepage.mac.com/bfastenrath/religion.html">http://homepage.mac.com/bfastenrath/religion.html</a>
Was du selbst nicht wuenschst, das tue auch anderen nicht an. (Konfuzius, Gespraeche, XII, 2) 551-479 BC
An hour of contemplation is better than a year of prayer. (Muhammad, La Mecque, vers 570 - Medine, 632)
How to become a vegetarian: Do not delegate a task if you might consider
it unethical if done by yourself.
Why don't you slaughter an animal yourself? (This is the intention
behind kosher and halal, but people, as usual, don't get it).
(<a class="moz-txt-link-freetext" href="http://www.ikfk.de/vegan.html">http://www.ikfk.de/vegan.html</a>)
</pre>
</body>
</html>
--------------090803000500030607080904--