--
You received this message because you are subscribed to the Google Groups "Cap'n Proto" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capnproto+...@googlegroups.com.
Visit this group at http://groups.google.com/group/capnproto.
--
It would seem that kj I/O bits could be cleanly extended to support this? DatagramReceiver already supports receiving AncillaryMessages; adding write and read support to an AsyncUnix{Input,Output,Io}Stream wouldn't touch anything else.
So I'm kind of stuck here and unsure how to proceed. If I saw a good proposal I might agree to it.
--
You received this message because you are subscribed to the Google Groups "Cap'n Proto" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capnproto+unsubscribe@googlegroups.com.
Just to chime in here: Capsicum is another context where FD transfer
over IPC is needed, and it would be nice to be able to do that with
Cap'n Proto.
> Note that FD passing should be opt-in on the TwoPartyVatNetwork. For
> Sandstorm, we wont want apps to be able to pass FDs to each other as I
> believe there are some sandbox breakouts possible if you have apps in
> independent sandboxes colluding and sharing FDs. (Andy knows more about
> this.)
This shouldn't theoretically be a problem for Capsicum capability FDs,
given that the kernel polices what operations are allowed on the FD
according to the rights associated with it.
But I'd be interested to know the details about the sandbox breakouts
you mention, to confirm that practice matches theory...
For one example, consider two processes in separate chroot environments. If they can pass file descriptors to each other, both processes can escape their chroots. The kernel implements chroot by storing, for each process, the root inode for that process, and comparing against it when performing filesystem ops. Unfortunately, an open file descriptor does not contain information about the chroot environment in which it was opened. When sent to another process, the receiving process now has a file descriptor for a file outside of its own chroot, and can freely walk the directory tree all the way up to the filesystem's real physical root.
big enough buffer. Stack space is sort of free.I think it's reasonable to just decide on some a priori max and pass a
If you're willing to treat the transport as a pseudo-packet transport rather than a stream you can just pass a large CMSG buffer and you'll only get the fds attached to the message as sent. (If I can remember my experimentation correctly) SCM_RIGHTS messages make the stream act a bit like a packet transport.
It may or may not be worth making this explicit by using a SOCK_SEQPACKET transport.
imposes a "beneath-only" behaviour on openat(2) (and disables open(2)), soI think Capsicum capability directory FDs should be safe here -- Capsicum
paths with ".." or leading "/" are rejected.
[I've also made this behaviour accessible via a new O_BENEATH flag
to openat(2), as it's potentially useful for things other than Capsicum;
current patch suggestion at https://lkml.org/lkml/2015/3/9/407]
On Tue, Mar 10, 2015 at 1:50 AM, 'David Drysdale' via Cap'n Proto <capn...@googlegroups.com> wrote:imposes a "beneath-only" behaviour on openat(2) (and disables open(2)), soI think Capsicum capability directory FDs should be safe here -- Capsicum
paths with ".." or leading "/" are rejected.
[I've also made this behaviour accessible via a new O_BENEATH flag
to openat(2), as it's potentially useful for things other than Capsicum;
current patch suggestion at https://lkml.org/lkml/2015/3/9/407]This is awesome. FWIW, O_BENEATH seems like it is generally useful for preventing path injection attacks.
E.g. various web servers have at various points been vulnerable to using ".." to cause them to serve arbitrary files from the file system. This is something I've had to deal with many times myself, by painstakingly filtering paths for "..", etc. Might be worth mentioning in the man page.
-Kenton
--
You received this message because you are subscribed to the Google Groups "Cap'n Proto" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capnproto+...@googlegroups.com.
On Tue, Mar 10, 2015 at 6:30 PM, Kenton Varda <ken...@sandstorm.io> wrote:On Tue, Mar 10, 2015 at 1:50 AM, 'David Drysdale' via Cap'n Proto <capn...@googlegroups.com> wrote:imposes a "beneath-only" behaviour on openat(2) (and disables open(2)), soI think Capsicum capability directory FDs should be safe here -- Capsicum
paths with ".." or leading "/" are rejected.
[I've also made this behaviour accessible via a new O_BENEATH flag
to openat(2), as it's potentially useful for things other than Capsicum;
current patch suggestion at https://lkml.org/lkml/2015/3/9/407]This is awesome. FWIW, O_BENEATH seems like it is generally useful for preventing path injection attacks.Thanks; feel free to join in on the LKML and indicate support for the idea!
OK, I'm coming around on this.I do suspect you're not the only one who is going to want to ferry around GPU contexts in this way. Anyone wanting to build a Sandstorm-like sandbox for desktop or mobile apps -- with a Cap'n Proto connection being the only way the app talks to the world -- is likely to need something like this.I guess that trying to abstract over Win32 is not going to work so well, because the model for transferring handles is totally different there -- it requires that at least one of the two processes involved has complete power over the other, it seems. Not capability-like at all.
--
You received this message because you are subscribed to the Google Groups "Cap'n Proto" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capnproto+...@googlegroups.com.