Il 28/07/2014 23:13, Eric W. Biederman ha scritto: > This notion that a shared structure should have different semantics > depending on who is looking at it, sounds like a maintenance nightmare > to me. Isn't that already with seccomp BPF filters? You can have the parent process set a BPF filter that forbids read on that file descriptor or write on that file descriptor. Effectively, this patchset provides the functionality to "hotplug" BPF filters on a running process as more file descriptors are passed via SCM_RIGHTS. Except it doesn't use BPF filters, and instead uses a separate set of discrete capabilities. > I see two sensible implementations: > - Add a seccomp bpf filter to struct file. I proposed something like this, but it has some additional implementation complications. See the v1 thread. But it does have to be in a file descriptor rather than a struct file. It's part of the model that two processes can have different views of the file descriptor (again my toy example is that of an eventfd that an unprivileged child process can only write to). > Additionally unless there is a process wide restriction to relative > paths I can trivially escape your relative path implementation by simply > doing open(.) and getting a struct file without any of those > restrictions. Yes, there is a prctl for that. Paolo -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
