diff options
author | Daniel Silverstone <dsilvers@digital-scurf.org> | 2012-07-29 15:55:41 +0100 |
---|---|---|
committer | Daniel Silverstone <dsilvers@digital-scurf.org> | 2012-07-29 15:55:41 +0100 |
commit | 340c969dabb6d666d5d052ace26c9b656b7a9126 (patch) | |
tree | 63f48eefc5f0ec3c18a7bb64481b06ad6add3384 /notes/design | |
parent | 7712b97c6ce3d0ccc4260586d7706e29d5e9a77f (diff) | |
download | supple-340c969dabb6d666d5d052ace26c9b656b7a9126.tar.gz |
SANDBOX: Enough sandboxing to get us further. Testing the wrapper is hard
Diffstat (limited to 'notes/design')
-rw-r--r-- | notes/design | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/notes/design b/notes/design index d055d1d..032f083 100644 --- a/notes/design +++ b/notes/design @@ -158,9 +158,12 @@ injected. 1. The host starts by preparing a socketpair and forking. 2. The forked process dup2()s the socketpair onto fd 0 and force-closes every FD (regardless of the likelyhood of it being open). -3. Then the forked process executes a specifically compiled lua interpreter. -4. The interpreter loads the Supple modules and then the one module so - instructed by the host. +3. Then the forked process executes a specifically compiled lua interpreter + wrapper program which prevents LUA_PATH et al being passed to the real + lua interpreter. It also sets the command line for the real interpreter + to simply be: lua -lsupple -esupple.sandbox.run() +4. The real interpreter then loads the Supple modules and starts the sandbox + process. 5. Said interpreter, if setuid(root) then 1. makes a directory owned by root 2. changes into that directory |