argv-spoof-safe interpreters and VMs?
13 views
Skip to first unread message
Rob Meijer
Jan 10, 2026, 10:17:08 AM (9 days ago) Jan 10
to cap-...@googlegroups.com
After the discussion here about sensitive data, mostly because of usefully comments by David and John, I ended coming to the conclusion I need to spend a week or two or so on a little side project to create a simple vault for my DSL to use.
I'm writing two tiny fuse filesystems that can give any "executable running as user" combo its own little vault.
For a native binary this is trivial even if it requires some extra privsep work because /proc/$PID/atte/current and /proc/$PID/exe van be trusted. The same is however not true for /proc/$PID/cmdline , because argv is mutable.
There are workarounds for this, but these are specific for specific VMs or interpreters and those require MAC (AppArmor or SeLinux) configurations to work, what all isn't too user friendly and is frankly too much work for a quick side project.
Because in Merg-E, when not compiled (first runtime won't be), argv isn't mutable for "scripts", it is defendable to allow my mini filesystem to trust /proc/$PID/cmdline to not be spoofed.
Even if I'm making this side project only to scratch my own itch for Merg-E, it would be great if I wouldn't close the door on other interpreters or on VMs that are also not vulnerable to argv spoofing.
I'm guessing Typhon would very likely not be vulnerable, but I still know too little about Monte and Typhon to be sure. And I'm interested to learn if there are any other interpreters or VMs that fit the bill.
If there are, I'd like to (for now) hard code these into my vault.
Rob Meijer
Jan 11, 2026, 7:43:23 PM (7 days ago) Jan 11
to cap-...@googlegroups.com
For context: https://codeberg.org/pibara/innuendo-vaultfs/src/branch/main/README.md
Not much code yet. Right now it's just a little side project for my own DSL, assuming my pre-compiler stuff (a rudimentary interpreter) is the only read-only-argv interpreter that could be relevant,
but I am interested if there are other least authority interpreters and/or VMs that I should consider when implementing the /proc/$PID/cmdline parse bit of iprocfs. (iprocfs is the subsystem that tries to get a path-as-id for whatever gets executed).
Not much code yet. Right now it's just a little side project for my own DSL, assuming my pre-compiler stuff (a rudimentary interpreter) is the only read-only-argv interpreter that could be relevant,
but I am interested if there are other least authority interpreters and/or VMs that I should consider when implementing the /proc/$PID/cmdline parse bit of iprocfs. (iprocfs is the subsystem that tries to get a path-as-id for whatever gets executed).
Reply all
Reply to author
Forward
0 new messages