> I've been thinking about how to run un-trusted code, > without having to audit every line, or use some sort of sandbox, > and was wondering if Parrot could provide a Mandator Access > Control mechanism (ala SE Linux/Flask).
I think that this is a great idea. > When assembling Parrot, the assembler could either look in a > file or a perl BEGIN type block containing a list of access > requests along the lines of: > > syscall time > read-write directory /tmp > listen socket 80 > connect socket 25 > read-write file /etc/shadow Wouldn't it also help to add a chroot layer? In my mind, /etc/passwd should not even _exist_ to untrusted code. It should be chrooted to its own dir. Yes, I realize that one can concievable break out of a chroot, but this should be made really hard. Fred Ollinger