[Isolate-interest] Isolate root jail
Bernhard Fastenrath
bfastenrath@mac.com
Fri, 17 Sep 2004 01:31:43 +0200
This is a multi-part message in MIME format.
--------------070001020708090205020700
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Mikolaj Habryn wrote:
>On Fri, 2004-09-17 at 07:46, Bernhard Fastenrath wrote:
>
>
>>My suggestion goes a little further: The isolate should be able to
>>chroot(2) itself to a different
>>root filesystem (create a jail environment: Want to securely partition
>>VMs? One option is to put 'em in Jail.)
>>
>>
>
>Isn't this a little too platform specific? If this becomes a
>specification item you're going to have a hard time delivering compliant
>isolates on anything that isn't POSIX or UNIX (which is most of the
>world).
>
>
Yes, cygwin does support chroot but NT does not nativly support it.
I imagine IBM's virtual machine based operating systems would
not have a problem to support this feature. The main problem seems
to be NT here. Maybe an additional driver in the filesystem stack
could enable NT to support this feature? A chroot driver would
have to distinguish processes that are chroot()ed and reject access
by chroot()ed processes to files outside their jail. At least it sounds
rather simple. The same driver would allow to intercept open() calls
and optionally read/write calls.
A different approach could be to modify the access rights of the Isolate
and restrict access to a filesystem which is tightly integrated with the VM
itself. NT supports fine-grained access control, so it might be possible to
just deny all file I/O except for the virtual filesystem presented by
the VM.
>If someone is in a position to guarantee that their code will only ever
>run on UNIX/POSIX platforms, then they can supply appropriate
>sub-classes that will chroot, redirect I/O, pop up useful dialog boxes
>or perform whatever additional operations their chosen platform will
>support.
>
>
--
http://www.ikfk.de/idea.html, http://homepage.mac.com/bfastenrath/religion.html
Was du selbst nicht wuenschst, das tue auch anderen nicht an. (Konfuzius, Gespraeche, XII, 2) 551-479 BC
An hour of contemplation is better than a year of prayer. (Muhammad, La Mecque, vers 570 - Medine, 632)
How to become a vegetarian: Do not delegate a task if you might consider
it unethical if done by yourself.
Why don't you slaughter an animal yourself? (This is the intention
behind kosher and halal, but people, as usual, don't get it).
(http://www.ikfk.de/vegan.html)
--------------070001020708090205020700
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Mikolaj Habryn wrote:<br>
<blockquote cite="mid1095373918.2258.58.camel@amida" type="cite">
<pre wrap="">On Fri, 2004-09-17 at 07:46, Bernhard Fastenrath wrote:
</pre>
<blockquote type="cite">
<pre wrap="">My suggestion goes a little further: The isolate should be able to
chroot(2) itself to a different
root filesystem (create a jail environment: Want to securely partition
VMs? One option is to put 'em in Jail.)
</pre>
</blockquote>
<pre wrap=""><!---->
Isn't this a little too platform specific? If this becomes a
specification item you're going to have a hard time delivering compliant
isolates on anything that isn't POSIX or UNIX (which is most of the
world).
</pre>
</blockquote>
Yes, cygwin does support chroot but NT does not nativly support it.<br>
I imagine IBM's virtual machine based operating systems would<br>
not have a problem to support this feature. The main problem seems<br>
to be NT here. Maybe an additional driver in the filesystem stack<br>
could enable NT to support this feature? A chroot driver would<br>
have to distinguish processes that are chroot()ed and reject access<br>
by chroot()ed processes to files outside their jail. At least it sounds<br>
rather simple. The same driver would allow to intercept open() calls<br>
and optionally read/write calls.<br>
<br>
A different approach could be to modify the access rights of the
Isolate<br>
and restrict access to a filesystem which is tightly integrated with
the VM<br>
itself. NT supports fine-grained access control, so it might be
possible to<br>
just deny all file I/O except for the virtual filesystem presented by
the VM.<br>
<blockquote cite="mid1095373918.2258.58.camel@amida" type="cite">
<pre wrap="">If someone is in a position to guarantee that their code will only ever
run on UNIX/POSIX platforms, then they can supply appropriate
sub-classes that will chroot, redirect I/O, pop up useful dialog boxes
or perform whatever additional operations their chosen platform will
support.
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
<a class="moz-txt-link-freetext" href="http://www.ikfk.de/idea.html">http://www.ikfk.de/idea.html</a>, <a class="moz-txt-link-freetext" href="http://homepage.mac.com/bfastenrath/religion.html">http://homepage.mac.com/bfastenrath/religion.html</a>
Was du selbst nicht wuenschst, das tue auch anderen nicht an. (Konfuzius, Gespraeche, XII, 2) 551-479 BC
An hour of contemplation is better than a year of prayer. (Muhammad, La Mecque, vers 570 - Medine, 632)
How to become a vegetarian: Do not delegate a task if you might consider
it unethical if done by yourself.
Why don't you slaughter an animal yourself? (This is the intention
behind kosher and halal, but people, as usual, don't get it).
(<a class="moz-txt-link-freetext" href="http://www.ikfk.de/vegan.html">http://www.ikfk.de/vegan.html</a>)
</pre>
</body>
</html>
--------------070001020708090205020700--