Re: setuid vs. EROS constructor

l4-hurd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: setuid vs. EROS constructor

From:	Jonathan S. Shapiro
Subject:	Re: setuid vs. EROS constructor
Date:	Mon, 24 Oct 2005 22:29:21 -0400

On Mon, 2005-10-24 at 23:25 +0200, Bas Wijnen wrote:
> On Mon, Oct 24, 2005 at 04:00:05PM -0400, Jonathan S. Shapiro wrote:
> > The predictor needs access to the file system to make its prediction,
> > and this is *precisely* the access that we must not give it! Even
> > disclosing the *names* of my files to the hostile code must not occur.
> 
> This is where confinement comes in.  Since constructors can guarantee this, we
> can know that the predictor cannot communicate with anyone, in particular with
> the program it predicts for.  We give it read only access to the whole file
> system, and simply ignore everything it does except the prediction.

It doesn't work. Even if the file system is read-only, the files
themselves are not. Remember that in a persistent system many entities
named in the directory space are actually processes. The kernel has no
way to enforce the read-only restriction for IPC's to those processes,
because it does not know what they do.

shap

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Server granularity, (continued)

Prev by Date: Re: Let's do some coding :-)
Next by Date: Re: setuid vs. EROS constructor
Previous by thread: Re: setuid vs. EROS constructor
Next by thread: Re: setuid vs. EROS constructor
Index(es):
- Date
- Thread