bdonlan:
> And let it at the kernel stack? _BAD_ idea. It can still use
> printf/scanf to sniff your password anyway.
No, it can't, becuase it will only prompt for input through your
uploaded interface function. There are innumerable other cases where
security is greatly enhanced by ensuring that a capability may only
be used through a specific, predefined interface.
The uploaded code would be executed in the same context as the
process that uploads and calls it, and would present no security
risk in excess of the capabilities specifically granted it.
Here's how this might be implemented (keep in mind that I'm no
expert on programming, and that the viability of this scheme in no
way bears upon the viability of the general concept.)
Consider a program that needs to create temporary files; it does no
other file operations. I define a function to do it:
int create_tempfile(void)
{
/* Whatever, whatever. */
}
I configure the capabilities that this function needs:
struct capabilities caps = {
.allowed_file_operations = CREATE_FILES
};
set_capabilities(create_tempfile, &caps);
The set_capabilities() call means "the function at the specified
address shall have exactly _these_ capabilities." In this case, it
is only allowed (deal with the looseness here) to create files.
This is enforced in the following way.
asmlinkage long sys_set_capabilities(void *function, struct capabilities *caps)
{
/* Save the address, length, specified capabilities, and checksum of
"function" */
}
Now the program executes, dropping all capabilities at init time,
and calls create_tempfile(), which calls open(). In sys_open(), we
see that the program as a whole does not have the capability to
perform the operation. We then check to see if open() was called
from within one of the uploaded functions. If it was, we check to
see if that uploaded function's capabilities permit open(). If
that's true, we checksum the function code and compare it with the
saved checksum, to ensure that it has not been changed. If its
integrity is maintained, we go ahead and carry out the system call.
This is only one approach, and the overhead of verifying checksums
may make it a bad one. Copying uploaded functions to a read-only
buffer of some sort to ensure against tampering is another solution;
the constant here is that capabilities can be doled out on a
fine-grained basis to various parts of your code.
_______________________________________________
devl mailing list
[EMAIL PROTECTED]
http://hawk.freenetproject.org:8080/cgi-bin/mailman/listinfo/devl
