--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-di...@googlegroups.com.
To post to this group, send email to native-cli...@googlegroups.com.
Visit this group at http://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.
Yes! I am interested. Pretty swamped right now, but this would make a $dayjob project much more straightforward, so I'll be getting to it soon. I'll familiarize myself with the code, but in the meantime what should I know/look at first?
Also, LD_PRELOAD is fine of course, but reduces discoverability and configurability of the feature a bit - why not a command line option as well, out of curiosity?
You received this message because you are subscribed to a topic in the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/native-client-discuss/5UFlj0e5fvw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to native-client-di...@googlegroups.com.
Yes! I am interested. Pretty swamped right now, but this would make a $dayjob project much more straightforward, so I'll be getting to it soon. I'll familiarize myself with the code, but in the meantime what should I know/look at first?
Also, LD_PRELOAD is fine of course, but reduces discoverability and configurability of the feature a bit - why not a command line option as well, out of curiosity?
Hey folks,I'm trying to execute some untrusted Python code safely, and I thought NaCl could help. I'm not in the context of a browser or anything.I downloaded naclports and built Python from that repo. I can definitely run Python from NaCl:[GCC 4.4.3 20141204 (Native Client r14191, Git Commit 7faaabb9f10e6dcae5f2b799da43e236e65cda95)] on naclUnfortunately, every invocation I can find with NaCl to start Python through sel_ldr passes the "-a" option, which is really confusing to me. I definitely don't want the "-a" option, but I do want to be able to provide the Python standard library to Python inside of NaCl.With sel_ldr, how can I provide file tree additions to the virtual filesystem inside NaCl?
I'd love to be able to point sel_ldr at some folder and make it its root (either via copying or chrooting or who knows).
"-a" is labeled as not very safe (allows arbitrary filesystem access in addition to "other" syscalls), so I'd either rather not use it for untrusted code, or have my notions that it is unsafe disabused.
On Fri, Jun 12, 2015 at 7:20 AM 'JF Bastien' via Native-Client-Discuss <native-cli...@googlegroups.com> wrote:On Fri, Jun 12, 2015 at 3:09 PM, JT Olds <jto...@xnet5.com> wrote:Yes! I am interested. Pretty swamped right now, but this would make a $dayjob project much more straightforward, so I'll be getting to it soon. I'll familiarize myself with the code, but in the meantime what should I know/look at first?
Also, LD_PRELOAD is fine of course, but reduces discoverability and configurability of the feature a bit - why not a command line option as well, out of curiosity?
I suggest looking at the sel_ldr code, and then proposing a design on this mailing list. I have no preference for how this should work, besides being easily testable and secure.Okay! Finally starting to get to this. I take it by filesystem.c you meant sys_filename.c.
I'm a bit puzzled about the Native Client codebase - I only see the NACL_sys_open (for example) syscall registered once via grepping (in service_runtime/nacl_syscall_list.c) in the entire codebase, and it's registered to sys_filename.c's NaClSysOpen, which checks if NaClAclBypassChecks is set (the -a option to sel_ldr) and bails if it isn't. This must mean nexes running in Chromium have a different syscall registration table in some other codebase (maybe the Chromium codebase?
I'm afraid to check it out), and NaClSysOpen's job is solely for the sel_ldr commandline program and is not at all used in browser. Is that true? Just trying to figure out how wide the scope is of some of these files.Should I be posting these kinds of questions somewhere else?
I'm a bit puzzled about the Native Client codebase - I only see the NACL_sys_open (for example) syscall registered once via grepping (in service_runtime/nacl_syscall_list.c) in the entire codebase, and it's registered to sys_filename.c's NaClSysOpen, which checks if NaClAclBypassChecks is set (the -a option to sel_ldr) and bails if it isn't. This must mean nexes running in Chromium have a different syscall registration table in some other codebase (maybe the Chromium codebase?No, the same set of syscalls is registered whether NaCl is running inside Chromium or in standalone sel_ldr. That is why NaClSysOpen checks the NaClAclBypassChecks flag -- because the open() syscall is always registered, but it disables itself by default in Chromium and in sel_ldr.
I actually intend to change that so that syscalls are registered conditionally. The idea would be to make it easier to switch out sys_filename.c, at runtime, for another implementation that implements restricted file access.
On Tue, Jun 23, 2015 at 5:10 PM Mark Seaborn <msea...@chromium.org> wrote:I'm a bit puzzled about the Native Client codebase - I only see the NACL_sys_open (for example) syscall registered once via grepping (in service_runtime/nacl_syscall_list.c) in the entire codebase, and it's registered to sys_filename.c's NaClSysOpen, which checks if NaClAclBypassChecks is set (the -a option to sel_ldr) and bails if it isn't. This must mean nexes running in Chromium have a different syscall registration table in some other codebase (maybe the Chromium codebase?No, the same set of syscalls is registered whether NaCl is running inside Chromium or in standalone sel_ldr. That is why NaClSysOpen checks the NaClAclBypassChecks flag -- because the open() syscall is always registered, but it disables itself by default in Chromium and in sel_ldr.Huh! Okay, so that's a bit confusing. You're saying that there's no working file open syscall in browser mode? How does https://naclports.storage.googleapis.com/builds/pepper_41/trunk-176-g9b9e342/publish/devenv/pnacl/app/bash.html work?
I actually intend to change that so that syscalls are registered conditionally. The idea would be to make it easier to switch out sys_filename.c, at runtime, for another implementation that implements restricted file access.Oh! Yeah, I'm trying to add configuration for an implementation that restricts file access myself. Definitely don't want to step on any toes.
On 23 June 2015 at 17:11, JT Olds <jto...@xnet5.com> wrote:On Tue, Jun 23, 2015 at 5:10 PM Mark Seaborn <msea...@chromium.org> wrote:I'm a bit puzzled about the Native Client codebase - I only see the NACL_sys_open (for example) syscall registered once via grepping (in service_runtime/nacl_syscall_list.c) in the entire codebase, and it's registered to sys_filename.c's NaClSysOpen, which checks if NaClAclBypassChecks is set (the -a option to sel_ldr) and bails if it isn't. This must mean nexes running in Chromium have a different syscall registration table in some other codebase (maybe the Chromium codebase?No, the same set of syscalls is registered whether NaCl is running inside Chromium or in standalone sel_ldr. That is why NaClSysOpen checks the NaClAclBypassChecks flag -- because the open() syscall is always registered, but it disables itself by default in Chromium and in sel_ldr.Huh! Okay, so that's a bit confusing. You're saying that there's no working file open syscall in browser mode? How does https://naclports.storage.googleapis.com/builds/pepper_41/trunk-176-g9b9e342/publish/devenv/pnacl/app/bash.html work?That uses the "nacl_io" library, which overrides open() and implements it in user code.
On Wed, Jun 24, 2015 at 5:10 AM, JT Olds <jto...@xnet5.com> wrote:On Tue, Jun 23, 2015 at 6:17 PM Mark Seaborn <msea...@chromium.org> wrote:On 23 June 2015 at 17:11, JT Olds <jto...@xnet5.com> wrote:On Tue, Jun 23, 2015 at 5:10 PM Mark Seaborn <msea...@chromium.org> wrote:I'm a bit puzzled about the Native Client codebase - I only see the NACL_sys_open (for example) syscall registered once via grepping (in service_runtime/nacl_syscall_list.c) in the entire codebase, and it's registered to sys_filename.c's NaClSysOpen, which checks if NaClAclBypassChecks is set (the -a option to sel_ldr) and bails if it isn't. This must mean nexes running in Chromium have a different syscall registration table in some other codebase (maybe the Chromium codebase?No, the same set of syscalls is registered whether NaCl is running inside Chromium or in standalone sel_ldr. That is why NaClSysOpen checks the NaClAclBypassChecks flag -- because the open() syscall is always registered, but it disables itself by default in Chromium and in sel_ldr.Huh! Okay, so that's a bit confusing. You're saying that there's no working file open syscall in browser mode? How does https://naclports.storage.googleapis.com/builds/pepper_41/trunk-176-g9b9e342/publish/devenv/pnacl/app/bash.html work?That uses the "nacl_io" library, which overrides open() and implements it in user code.Ohhh interesting, okay. My initial goal was to run the naclports Python standalone without passing the "-a" option (so it can access the stdlib files but is otherwise safe). Is it possible to use nacl_io without a browser and sel_ldr for this purpose?No. Yes. Maybe. Confused yet? You should be.nacl_io does not implements open() from the thin air, it emulates it on top of PPAPI and sel_ldr does not provide PPAPI. Which is "no" part of the answer.However there are exist another wrapper for sel_ldr called sel_universal which implements some (but not all!) PPAPI interfaces. That's "yes" part of the answer.
This is a somewhat-frequent request, which nobody has taken the time to tackle. The solution the NaCl team had discussed for this was to change sel_ldr to default to its current filesystem.c's implementation, or (if provided on the command-line) use a .so which overrides this behavior with your own filters.
On Wed, Jun 24, 2015 at 9:21 AM, JT Olds <jto...@xnet5.com> wrote:On Fri, Jun 12, 2015 at 1:47 AM 'JF Bastien' via Native-Client-Discuss <native-cli...@googlegroups.com> wrote:This is a somewhat-frequent request, which nobody has taken the time to tackle. The solution the NaCl team had discussed for this was to change sel_ldr to default to its current filesystem.c's implementation, or (if provided on the command-line) use a .so which overrides this behavior with your own filters.Working on a patch to add this, but I have some questions about loading shared object portability.Would a patch make it through review that added dlopen/dlsym calls directly, or will this break Windows builds? Would it be better to try and add a platform-specific layer, or only conditionally compile in the pluggable filesystem filter module on POSIX?Could you provide more details of how you suggest doing this? Maybe in a Google doc, which would make it easier to get a clear picture without reading this entire thread.
On 24 June 2015 at 10:22, JT Olds <jto...@xnet5.com> wrote:On Wed, Jun 24, 2015 at 10:29 AM 'JF Bastien' via Native-Client-Discuss <native-cli...@googlegroups.com> wrote:On Wed, Jun 24, 2015 at 9:21 AM, JT Olds <jto...@xnet5.com> wrote:On Fri, Jun 12, 2015 at 1:47 AM 'JF Bastien' via Native-Client-Discuss <native-cli...@googlegroups.com> wrote:This is a somewhat-frequent request, which nobody has taken the time to tackle. The solution the NaCl team had discussed for this was to change sel_ldr to default to its current filesystem.c's implementation, or (if provided on the command-line) use a .so which overrides this behavior with your own filters.Working on a patch to add this, but I have some questions about loading shared object portability.Would a patch make it through review that added dlopen/dlsym calls directly, or will this break Windows builds? Would it be better to try and add a platform-specific layer, or only conditionally compile in the pluggable filesystem filter module on POSIX?Could you provide more details of how you suggest doing this? Maybe in a Google doc, which would make it easier to get a clear picture without reading this entire thread.Good idea. Here you go!I'm not usually a C developer, nor have I ever written a dlopen plugin system before, so I probably have no idea what I'm doing from a design perspective. So please take a very critical look at this - definitely interested in learning.Are you interested in having a restricted file access mode in the stock version of sel_ldr? If so, I don't think we need dynamically-loadable plugins for that. If the functionality is fairly simple and generic, I would be happy to put the functionality directly into the NaCl codebase and statically link it into sel_ldr, and add some new command line options to sel_ldr.
Would that work for you? What command line options would you want for granting access to files? Would the functionality you want be fairly general-purpose, or do you envisage needing some app-specific rules?
Otherwise, if you want to have more complex rules for open() etc., I would recommend building a custom version of sel_ldr, similar to how sel_ldr_seccomp is built. sel_ldr_seccomp is a version of sel_ldr that uses a Seccomp-BPF-based outer sandbox on Linux for extra security (see src/trusted/seccomp_bpf/). It uses a hook for enabling the Seccomp-BPF sandbox after startup. We could add similar hooks for replacing syscall implementations. When we build sel_ldr_seccomp, we're basically treating the NaCl runtime as a library that can be embedded.
I have already prepared a design document for the restricted filesystem access. Please feel free to comment on the document if there is anything you feel is missing.https://docs.google.com/a/chromium.org/document/d/1q4LNB0hdA0H7vYmYuClRICZHYZoxXX9LPKjnSf2Kqng/edit?usp=sharingWe currently don't have any timeline for when this'll be implemented. Is this something you would like to work on?
It should be accessible now.
On Wed, Jun 24, 2015 at 3:05 PM Mark Seaborn <msea...@chromium.org> wrote:On 24 June 2015 at 10:22, JT Olds <jto...@xnet5.com> wrote:On Wed, Jun 24, 2015 at 10:29 AM 'JF Bastien' via Native-Client-Discuss <native-cli...@googlegroups.com> wrote:On Wed, Jun 24, 2015 at 9:21 AM, JT Olds <jto...@xnet5.com> wrote:On Fri, Jun 12, 2015 at 1:47 AM 'JF Bastien' via Native-Client-Discuss <native-cli...@googlegroups.com> wrote:This is a somewhat-frequent request, which nobody has taken the time to tackle. The solution the NaCl team had discussed for this was to change sel_ldr to default to its current filesystem.c's implementation, or (if provided on the command-line) use a .so which overrides this behavior with your own filters.Working on a patch to add this, but I have some questions about loading shared object portability.Would a patch make it through review that added dlopen/dlsym calls directly, or will this break Windows builds? Would it be better to try and add a platform-specific layer, or only conditionally compile in the pluggable filesystem filter module on POSIX?Could you provide more details of how you suggest doing this? Maybe in a Google doc, which would make it easier to get a clear picture without reading this entire thread.Good idea. Here you go!I'm not usually a C developer, nor have I ever written a dlopen plugin system before, so I probably have no idea what I'm doing from a design perspective. So please take a very critical look at this - definitely interested in learning.Are you interested in having a restricted file access mode in the stock version of sel_ldr? If so, I don't think we need dynamically-loadable plugins for that. If the functionality is fairly simple and generic, I would be happy to put the functionality directly into the NaCl codebase and statically link it into sel_ldr, and add some new command line options to sel_ldr.Oh alright, we can do that too. The plugin approach was suggested by JF Bastien, and it seemed pretty reasonable to me.
Would that work for you? What command line options would you want for granting access to files? Would the functionality you want be fairly general-purpose, or do you envisage needing some app-specific rules?I think we could get by with some simple options. I would envision something like-d <path> If provided, allows restricted filesystem access as if <path> was the new root folder. Does not allow access to files outside of <path>.
It seems like it would be nice to have further configurability about which subfolders are read only and which subfolders are read/write. So, just thinking while typing, perhaps `-d` by default causes everything to be read only, and you can supply zero or more subfolders to be read/write with another flag?
On 24 June 2015 at 14:14, JT Olds <jto...@xnet5.com> wrote:On Wed, Jun 24, 2015 at 3:05 PM Mark Seaborn <msea...@chromium.org> wrote:On 24 June 2015 at 10:22, JT Olds <jto...@xnet5.com> wrote:On Wed, Jun 24, 2015 at 10:29 AM 'JF Bastien' via Native-Client-Discuss <native-cli...@googlegroups.com> wrote:On Wed, Jun 24, 2015 at 9:21 AM, JT Olds <jto...@xnet5.com> wrote:On Fri, Jun 12, 2015 at 1:47 AM 'JF Bastien' via Native-Client-Discuss <native-cli...@googlegroups.com> wrote:This is a somewhat-frequent request, which nobody has taken the time to tackle. The solution the NaCl team had discussed for this was to change sel_ldr to default to its current filesystem.c's implementation, or (if provided on the command-line) use a .so which overrides this behavior with your own filters.Working on a patch to add this, but I have some questions about loading shared object portability.Would a patch make it through review that added dlopen/dlsym calls directly, or will this break Windows builds? Would it be better to try and add a platform-specific layer, or only conditionally compile in the pluggable filesystem filter module on POSIX?Could you provide more details of how you suggest doing this? Maybe in a Google doc, which would make it easier to get a clear picture without reading this entire thread.Good idea. Here you go!I'm not usually a C developer, nor have I ever written a dlopen plugin system before, so I probably have no idea what I'm doing from a design perspective. So please take a very critical look at this - definitely interested in learning.Are you interested in having a restricted file access mode in the stock version of sel_ldr? If so, I don't think we need dynamically-loadable plugins for that. If the functionality is fairly simple and generic, I would be happy to put the functionality directly into the NaCl codebase and statically link it into sel_ldr, and add some new command line options to sel_ldr.Oh alright, we can do that too. The plugin approach was suggested by JF Bastien, and it seemed pretty reasonable to me.I talked to JF, and I think he thought I wanted dynamically-loadable extensions, though that wasn't actually the case. :-) If you have dynamically-loadable extensions, it raises questions such as what interface sel_ldr exports to the extension, and whether you try to make that interface a stable ABI. Having dynamically-loadable extensions is strictly more complicated than statically-linkable extensions, and I'd rather make sure we can do the latter well first.Would that work for you? What command line options would you want for granting access to files? Would the functionality you want be fairly general-purpose, or do you envisage needing some app-specific rules?I think we could get by with some simple options. I would envision something like-d <path> If provided, allows restricted filesystem access as if <path> was the new root folder. Does not allow access to files outside of <path>.That sounds good to me. I'd be happy to review a change that implements that.sel_ldr already has an option called "-d", so you'd have to pick another option name. You could potentially use a long option (i.e. like "--foo") -- sel_main.c uses getopt_long(), though currently only on Linux.
Do you have any requirements about symlinks? Symlinks pose some awkward problems, so in a first version it would be easiest to disallow creating symlinks.
It seems like it would be nice to have further configurability about which subfolders are read only and which subfolders are read/write. So, just thinking while typing, perhaps `-d` by default causes everything to be read only, and you can supply zero or more subfolders to be read/write with another flag?That sounds OK too.
--Cheers,Mark
You received this message because you are subscribed to a topic in the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/native-client-discuss/5UFlj0e5fvw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to native-client-di...@googlegroups.com.
On Wed, Jun 24, 2015 at 3:52 PM Petr Hosek <pho...@google.com> wrote:It should be accessible now.Looks like I don't have comment access, but I have two comments so I'll comment here.First, I think taking the lead from other systems (Docker) for the UX is a great impulse, but in this case it will unnecessarily complicate the implementation to have to keep track of what is essentially a virtual file system with path mappings and mount points. Simply using an interface similar to chroot (instead of Docker's -v), in conjunction with users using bind mounts where appropriate,
will give 100% of the functionality with a much, much simpler implementation (add a path prefix to all cleaned paths). I earlier proposed letting sel_ldr control read/write access, but frankly that isn't strictly necessary, as the filesystem could do that securely just fine.Second, I totally get wanting to reduce the attack surface area of code that will be running in Chrome, but here we're talking about a single if in each syscall. That might be too much, but adding a check (like we already do with the NaclBypassAclChecks global) takes waaaay less code than adding a whole slew of new syscall registration tables and implementations. Overall, adding these new implementations seems like it will cause *more* auditing work, instead of less, just simply due to how simple this feature could be added directly.
On 24 June 2015 at 15:40, JT Olds <jto...@xnet5.com> wrote:On Wed, Jun 24, 2015 at 3:52 PM Petr Hosek <pho...@google.com> wrote:It should be accessible now.Looks like I don't have comment access, but I have two comments so I'll comment here.First, I think taking the lead from other systems (Docker) for the UX is a great impulse, but in this case it will unnecessarily complicate the implementation to have to keep track of what is essentially a virtual file system with path mappings and mount points. Simply using an interface similar to chroot (instead of Docker's -v), in conjunction with users using bind mounts where appropriate,What is the difference between the bind mounts that you're proposing and the Docker-like "--volume" option that Petr was proposing? They sound like the same thing to me.
Hey folks,I'm trying to execute some untrusted Python code safely, and I thought NaCl could help. I'm not in the context of a browser or anything.I downloaded naclports and built Python from that repo. I can definitely run Python from NaCl:[GCC 4.4.3 20141204 (Native Client r14191, Git Commit 7faaabb9f10e6dcae5f2b799da43e236e65cda95)] on naclUnfortunately, every invocation I can find with NaCl to start Python through sel_ldr passes the "-a" option, which is really confusing to me. I definitely don't want the "-a" option, but I do want to be able to provide the Python standard library to Python inside of NaCl.
With sel_ldr, how can I provide file tree additions to the virtual filesystem inside NaCl? I'd love to be able to point sel_ldr at some folder and make it its root (either via copying or chrooting or who knows).
"-a" is labeled as not very safe (allows arbitrary filesystem access in addition to "other" syscalls), so I'd either rather not use it for untrusted code, or have my notions that it is unsafe disabused.
Thanks!-JT
Hey Petr!
We talked a bunch about your proposal already on this thread. Did you have thoughts there?
-JT
--
Do you have any requirements about symlinks? Symlinks pose some awkward problems, so in a first version it would be easiest to disallow creating symlinks.
On Wed, Jun 24, 2015 at 5:30 PM Mark Seaborn <msea...@chromium.org> wrote:On 24 June 2015 at 15:40, JT Olds <jto...@xnet5.com> wrote:On Wed, Jun 24, 2015 at 3:52 PM Petr Hosek <pho...@google.com> wrote:It should be accessible now.Looks like I don't have comment access, but I have two comments so I'll comment here.First, I think taking the lead from other systems (Docker) for the UX is a great impulse, but in this case it will unnecessarily complicate the implementation to have to keep track of what is essentially a virtual file system with path mappings and mount points. Simply using an interface similar to chroot (instead of Docker's -v), in conjunction with users using bind mounts where appropriate,What is the difference between the bind mounts that you're proposing and the Docker-like "--volume" option that Petr was proposing? They sound like the same thing to me.Totally equivalent in functionality. The difference is we don't write any code for bind mounts. I'm proposing we just do a chroot-type feature, and if someone wants arbitrary mappings, they do bind mounts themselves, unrelated to sel_ldr. sel_ldr would do no bind mounting of its own. You'd have to use your own operating system tools (such as bind mounts) to put together whatever folder structure you wanted before even running sel_ldr.
The new "restricted filesystem" feature (-m flag) is great, thank you all for designing and adding it.
I have a difficulty caused by the decision to always allow modifications, relying on the user to make the folder read-only if they want to restrict writing to it. The issue is that "chmod" is still allowed. If there is just a regular user (not superuser) creating the folder and running sel_ldr, the untrusted code will run as the owner of the files and will be able to chmod and modify them.
Any suggestions on how to restrict untrusted code from writing?