[PATCH] libc++: Add option to disable access to the global filesystem namespace
Ed Schouten
ed at nuxi.nl
Tue Mar 10 08:13:54 PDT 2015
Hi Joerg,
2015-03-10 14:07 GMT+01:00 Joerg Sonnenberger <joerg at britannica.bec.de>:
> This doesn't make sense to me. All those functions can be used with both
> absolute and relative path names. So why do you force use of *at(), when
> arguments relative to CWD already fall into the restricted category?
The idea behind Capsicum
(http://www.cl.cam.ac.uk/research/security/capsicum/) is that once
you've entered capabilities mode, the non-at() functions are disabled,
while the at()-variants are restricted to relative paths only, not
allowing you to escape the directory corresponding with that file
descriptor.
For example, you could implement a simple web server that has a single
file descriptor for every virtualhost root directory. When in
capabilities mode, the web server is not able to access files stored
outside of the root directories, as it does not possess a file
descriptor pointing to another directory.
Processes using Capsicum do not have a working directory. AT_FDCWD can
no longer be used.
--
Ed Schouten <ed at nuxi.nl>
More information about the cfe-commits
mailing list