[PATCH] libc++: Add option to disable access to the global filesystem namespace
Joerg Sonnenberger
joerg at britannica.bec.de
Tue Mar 10 08:55:35 PDT 2015
On Tue, Mar 10, 2015 at 04:13:54PM +0100, Ed Schouten wrote:
> Hi Joerg,
>
> 2015-03-10 14:07 GMT+01:00 Joerg Sonnenberger <joerg at britannica.bec.de>:
> > This doesn't make sense to me. All those functions can be used with both
> > absolute and relative path names. So why do you force use of *at(), when
> > arguments relative to CWD already fall into the restricted category?
>
> The idea behind Capsicum
> (http://www.cl.cam.ac.uk/research/security/capsicum/) is that once
> you've entered capabilities mode, the non-at() functions are disabled,
> while the at()-variants are restricted to relative paths only, not
> allowing you to escape the directory corresponding with that file
> descriptor.
>
> For example, you could implement a simple web server that has a single
> file descriptor for every virtualhost root directory. When in
> capabilities mode, the web server is not able to access files stored
> outside of the root directories, as it does not possess a file
> descriptor pointing to another directory.
>
> Processes using Capsicum do not have a working directory. AT_FDCWD can
> no longer be used.
Sounds like a stupid and artifical restriction, but ok...
Joerg
More information about the cfe-commits
mailing list