blob: 834d5bdb4a21137762ebe74f0cbb30e85d227efe (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
Areans and opaque objects
=========================
Can opaque objects at all be passed to sub-arenas?
OpaqueObject obj = new
obj.initialize other_obj other2 other3
arena obj
Other o = obj.other_obj
end
This could result in capability leaks, since we can't know what references
the opaque object contains.
Also, it makes seccomp/sandboxing really really hard (or even impossible?).
If the objects can have references to other objects, that the runtime doesn't
know about, then how to know which sandbox rules to add?
Related issue: LD_PRELOAD. That would have to be handled by the loader, which
would have to read some SLUL-specific attributes from the preloaded library.
Or perhaps any calls overridden by a LD_PRELOAD'ed library should go via a
separate, unsandboxed, process. (Or maybe LD_PRELOAD shouldn't be supported
at all? Does it make sense at all if SLUL doens't use libc? Or maybe the
presence of LD_PRELOAD could force it to use libc?) And there are possibly
similar issues for DNS, if that is "overridden" by libc (e.g. NIS).
|
