[Isolate-interest] Isolate root jail

Bernhard Fastenrath bfastenrath@mac.com
Fri, 17 Sep 2004 00:38:22 +0200 

This is a multi-part message in MIME format.
--------------050207060508030807060502
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Bernhard Fastenrath wrote:

> Curt Cox wrote:
>
>>>May I suggest to add a portable root jail to the isolate API?
>>>      
>>>
>>>The root jail could allow to chroot(2) an isolate and/or run the
>>>I/O of native subprocesses through a Java SecurityManager, 
>>>using a user mode filesystem mechanism.
>>>      
>>>
>>
>>Unless I miss your intent, the most reasonable API seems to be some
>>mechanism for defining an additional SecurityManager for the isolate
>>being created.  The SecurityManager for the parent isolate would
>>be applied first, so that an isolate can't create another with
>>more privileges than it has.
>>  
>>
> That's a very good idea. The Isolate () constructor should allow to 
> pass a SecurityManager
> to the isolate created as a child.
>
> My suggestion goes a little further: The isolate should be able to 
> chroot(2) itself to a different
> root filesystem (create a jail environment: Want to securely partition 
> VMs? One option is to put 'em in Jail. 
> <http://www.acmqueue.com/modules.php?name=Content&pa=showpage&pid=170>)
> and to take  this even a step futher, the jail could (optionally) 
> redirect its I/O through
> a Java SecurityManager by using a user mode filesystem mechanism to 
> redirect I/O through
> the Java virtual machine. Have a look at my Java filesystem page for 
> more information:
> http://jvfs.sourceforge.net/

If this mechanism was implemented an open(2) kernel call made by the 
native binary
would be interceptable by the SecurityManager in the Java VM.
Read/write calls to native file would be interceptable by the 
SecurityManager and
resource usage of a native binary could be monitored by the SecurityManager.

To fully exploit a mechanism like that if would be useful to allow the 
Java virtual machine
to implement its own virtual mount points and make these mount points 
visible to the
native binary: The virtual machine would be able to present a 
java.nio.channels.Pipe 
<http://java.sun.com/j2se/1.4.2/docs/api/java/nio/channels/Pipe.html>
or a java.nio.ByteBuffer 
<http://java.sun.com/j2se/1.4.2/docs/api/java/nio/ByteBuffer.html> as a 
file in the filesystem of the jailed native binary.

-- 
http://www.ikfk.de/idea.html, http://homepage.mac.com/bfastenrath/religion.html

Was du selbst nicht wuenschst, das tue auch anderen nicht an. (Konfuzius, Gespraeche, XII, 2) 551-479 BC

An hour of contemplation is better than a year of prayer. (Muhammad, La Mecque, vers 570 - Medine, 632)

How to become a vegetarian: Do not delegate a task if you might consider
it unethical if done by yourself.
Why don't you slaughter an animal yourself? (This is the intention
behind kosher and halal, but people, as usual, don't get it).
(http://www.ikfk.de/vegan.html)


--------------050207060508030807060502
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Bernhard Fastenrath wrote:<br>
<blockquote cite="mid414A09AE.5080308@mac.com" type="cite">
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
Curt Cox wrote:<br>
  <blockquote cite="midE1C7x0J-0002VO-00@mailhost.tripos.com"
 type="cite">
    <blockquote type="cite">
      <pre wrap="">May I suggest to add a portable root jail to the isolate API?
      </pre>
    </blockquote>
    <blockquote type="cite">
      <pre wrap="">The root jail could allow to chroot(2) an isolate and/or run the
I/O of native subprocesses through a Java SecurityManager, 
using a user mode filesystem mechanism.
      </pre>
    </blockquote>
    <pre wrap=""><!---->
Unless I miss your intent, the most reasonable API seems to be some
mechanism for defining an additional SecurityManager for the isolate
being created.  The SecurityManager for the parent isolate would
be applied first, so that an isolate can't create another with
more privileges than it has.
  </pre>
  </blockquote>
That's a very good idea. The Isolate () constructor should allow to
pass a SecurityManager<br>
to the isolate created as a child.<br>
  <br>
My suggestion goes a little further: The isolate should be able to
chroot(2) itself to a different<br>
root filesystem (create a jail environment: <a
 href="http://www.acmqueue.com/modules.php?name=Content&amp;pa=showpage&amp;pid=170">Want
to securely partition VMs? One option is to put 'em in Jail.</a>)<br>
and to take&nbsp; this even a step futher, the jail could (optionally)
redirect its I/O through<br>
a Java SecurityManager by using a user mode filesystem mechanism to
redirect I/O through<br>
the Java virtual machine. Have a look at my Java filesystem page for
more information:<br>
  <a href="http://jvfs.sourceforge.net/">http://jvfs.sourceforge.net/</a><br>
</blockquote>
If this mechanism was implemented an open(2) kernel call made by the
native binary<br>
would be interceptable by the SecurityManager in the Java VM.<br>
Read/write calls to native file would be interceptable by the
SecurityManager and<br>
resource usage of a native binary could be monitored by the
SecurityManager.<br>
<br>
To fully exploit a mechanism like that if would be useful to allow the
Java virtual machine<br>
to implement its own virtual mount points and make these mount points
visible to the<br>
native binary: The virtual machine would be able to present a <a
 href="http://java.sun.com/j2se/1.4.2/docs/api/java/nio/channels/Pipe.html">java.nio.channels.Pipe</a><br>
or a <a
 href="http://java.sun.com/j2se/1.4.2/docs/api/java/nio/ByteBuffer.html">java.nio.ByteBuffer</a>
as a file in the filesystem of the jailed native binary.<br>
<pre class="moz-signature" cols="72">-- 
<a class="moz-txt-link-freetext" href="http://www.ikfk.de/idea.html">http://www.ikfk.de/idea.html</a>, <a class="moz-txt-link-freetext" href="http://homepage.mac.com/bfastenrath/religion.html">http://homepage.mac.com/bfastenrath/religion.html</a>

Was du selbst nicht wuenschst, das tue auch anderen nicht an. (Konfuzius, Gespraeche, XII, 2) 551-479 BC

An hour of contemplation is better than a year of prayer. (Muhammad, La Mecque, vers 570 - Medine, 632)

How to become a vegetarian: Do not delegate a task if you might consider
it unethical if done by yourself.
Why don't you slaughter an animal yourself? (This is the intention
behind kosher and halal, but people, as usual, don't get it).
(<a class="moz-txt-link-freetext" href="http://www.ikfk.de/vegan.html">http://www.ikfk.de/vegan.html</a>)
</pre>
</body>
</html>

--------------050207060508030807060502--