Sebastien Marie wrote: > Just a remark about "proc" request. It won't allow calling exec(2), but > only fork(2) (and some others, see the man page for details). > > exec(2) is really special for a tamed program: allowing it could permit > to defeat the purpose of tame. >
I'm trying to understand tame(2) and in my mind the purpose of tame(2) is to allow/restrict potentially dangerous operations within a single program. The way you describe it, it seems exec(2) is unconditionally disallowed. > in hypothetic case of exec(2) with tame(2): > - if an exec'ed program starts with TAME flags cleared: it could do > what he want. so even if your process is tamed, it could potentially > permit all things. it is bad. > Assume you have a bad program1 and you write your tame(2)-ed program2 that disallows execution of program1. But you also have to use my un-tame(2)-ed program3 that allows execution of program1. How does your tame(2)-ed program2 protect you now against executing program1 ? You still risk executing it by using program3. What you describe, to me, sounds more like you need some kind of system wide policy that restricts the behaviour of bad program1 without depending on whether individual programs that may call it are tame(2)-ed or not. tame(2)-ing all individual programs in the system, including 3rd party software, to disallow the execution of bad program1 seems like an almost impossible task. Besides, what if all programs are tame(2)-ed, does that mean that no program will be able to call any other program anymore ? So unconditionally disallowing exec(2) for the purpose of avoiding bad programs being run seems somewhat pointless to me. I don't think the attack surface of those bad programs goes away, but maybe it's less visible. I don't really understand why exec(2) is treated differently from other potentially dangerous operations. I think it has a legitimate use. (I'd like to use it as "exec + whitelist of permitted 'trusted' programs") > - if an exec'ed program starts with herited TAME flags: the > initialisation of the program would be difficult as it would be > already tamed. > I see each program as a different entity, each having different tame(2)-ing requirements. I'm not sure tame(2) inheritance is very useful from that point of view. The main reason for running another program is probably because some functionality is needed not offered by the currently running program. I don't really see why the child program would need the same tame(2) requirements, or a subset thereof. (maybe there are cases where this could be the case, but I don't see a general usefulness) Please correct me if I'm wrong, but I see tame(2) as a means to reduce the attack surface of the program it is used in, not as a tool to reduce the attack surface of another program it knows nothing about.
