1 |
On Tue, Jul 31, 2012 at 7:57 PM, vivo75@×××××.com <vivo75@×××××.com> wrote: |
2 |
> Il 31/07/2012 21:27, Michał Górny ha scritto: |
3 |
>> I'd be more afraid about resources, and whether the kernel will be |
4 |
>> actually able to handle bazillion bind mounts. And if, whether it won't |
5 |
>> actually cause more overhead than copying the whole system to some kind |
6 |
>> of tmpfs. |
7 |
> |
8 |
> If testing show that bind mounts are too heavy we could resort to LD_PRELOAD |
9 |
> a library that filter the acces to the disk, |
10 |
> or to rework sandbox to also hide w/o errors some files, |
11 |
> with an appropriate database (sys-apps/mlocate come to mind) every access |
12 |
> will have negligible additional cost compared to that of rotational disks. |
13 |
|
14 |
So, while I suspect that bind mount overhead won't actually be that |
15 |
bad, I'm also thinking that extending the role of sandbox as has |
16 |
already been suggested might be the simpler solution (and it works on |
17 |
other kernels as well). I'd still like a run-time solution some day, |
18 |
but that would probably require SELinux and seems like a much more |
19 |
ambitious project, and we'll probably get quite a bit of QA value out |
20 |
of a sandbox solution. |
21 |
|
22 |
I think the right solution is to not use external utilities unless |
23 |
they can be linked in - at least not for anything running in sandbox. |
24 |
We're talking about at VERY high volume of file opens most likely and |
25 |
we can't be spawning processes every time that happens, let alone |
26 |
running bash scripts or whatever. |
27 |
|
28 |
So, here is my design concept (which had a little help from my LUG - PLUG): |
29 |
|
30 |
1. At the start of the build, portage generates a list of files that |
31 |
are legitimate dependencies - anything in DEPEND or @system. This can |
32 |
be done by parsing the /var/pkg/db files (I assume portage has some |
33 |
internal API for this already). |
34 |
|
35 |
2. Portage or a helper program (whatever is fastest) calls stat on |
36 |
each file to obtain the device and inode IDs. Maybe long-term we |
37 |
might consider caching these (but I'm not sure how stable they are). |
38 |
|
39 |
3. The list of valid device/inode IDs are passed to sandbox somehow |
40 |
(maybe in a file). Sandbox creates a data structure in memory |
41 |
containing them for rapid access (btree or such). |
42 |
|
43 |
4. When sandbox intercepts a file open request, it checks the file |
44 |
inode against the list and allows/denies accordingly. |
45 |
|
46 |
That said, after doing a quick pass at the sandbox source it seems |
47 |
like it already is designed to restrict read access, but it uses |
48 |
canonical filenames to do so. I'm not sure if those are going to be |
49 |
reliable, especially if a filesystem contains bind mounts. Since it |
50 |
is already checking a read list if we thought that mechnism would be |
51 |
robust and fast, we could just remove SANDBOX_READ="/" from |
52 |
/etc/sandbox.d/00default and then load in whatever we want afterwards. |
53 |
I need to spend more time groking the current source. I'd think that |
54 |
using inode numbers as a key would be faster than determining a |
55 |
canonical file name on every file access, but if sandbox is already |
56 |
doing the latter then obviously it isn't that much overhead. |
57 |
|
58 |
The other thing I'm not sure about here are symlinks. If a symlink is |
59 |
contained in a dependency, but the linked file is not, can that file |
60 |
be used by a package? I suppose the reverse is also a concern - if a |
61 |
file is accessed through a symlink that isn't part of a dependency, |
62 |
but the file it is pointing to is, is that a problem? I'm wondering |
63 |
if there is any eselect logic that could cause problems here. When |
64 |
calling stat we can choose whether to dereference symlinks. |