On Fri, 28 Sep 2001, Dan Sugalski wrote: > *) Some opcodes will just not be available depending on the > characteristics you assign to the interpreter. File opens might be > forbidden, or code loading, or socket ops, or something. Settable as > needed by the interpreter creating the compartment.
Why are files and sockets directly in the bytecode format instead of being classes that only happen to be written in C ? > I won't claim it'll be bullet-proof--as long as you can call out to C code > it's ultimately unsafe--but we'll do our best to make sure things are as > secure as a bunch of non-security folks can make it. as long as you can put a fence on which C plugins may be loaded you have a chance to be safe. when a ".so" is required, check that it's on a list of so's that are allowed by the sandbox config. Security of individual C plugins would be rated by people depending on whether they do I/O at all and what means are taken to make it feasible (and as easy as possible) to control what is done with them. ________________________________________________________________ Mathieu Bouchard http://hostname.2y.net/~matju
