On Sat, 12 Nov 2011 05:04:56 +0200 Ali Polatel <[email protected]> wrote: > Please discuss!
Ok, what I'd like to see from a sandboxy thing: Realistically, we can't protect against malicious build systems. Our target should be stupid or buggy build systems that mess around with things on /. That's still a very wide goal, since there are lots of ways to screw up, but it does mean that if a process can circumvent sandboxing in some deliberate way then it's not a huge problem. We need to be able to protect against writes to the filesystem outside of a particular set of 'safe' places. We need to be able to extend those 'safe' places on a case by case basis. This may or may not need to be something that can be done from within an exheres. We need to be able to get fatal errors for violations. It might be useful to be able to just deny certain writes with an EPERM or equivalent. We'd like to be able to do something about networking, both incoming and outgoing. This is a bit of a tricky one, since processes seem to like to talk to localhost in weird and wonderful ways. Also, users seem to do horrible things with distcc etc. Regarding "long" paths: maybe we could just make long paths die by default, except and then provide exhereses that need it some way of saying "don't check long paths" instead? -- Ciaran McCreesh
signature.asc
Description: PGP signature
_______________________________________________ Exherbo-dev mailing list [email protected] http://lists.exherbo.org/mailman/listinfo/exherbo-dev
