[Vm-dev] [squeak-dev] File & Socket Handle Access
bert at freudenbergs.de
Wed Aug 16 11:52:12 UTC 2017
On Wed, Aug 16, 2017 at 1:36 PM, Denis Kudriashov <dionisiydk at gmail.com>
> Hi Eliot.
> I asked David why he didn't add it to the SocketPlugin in the first place
>> and he discussed Andreas Rabb's security concerns
> It would be interesting to read about them because it looks strange that
> it is secure to manage OS handle from VM but not secure to manage it from
> image side. Both ways are requested by user directly or indirectly which
> means that user has OS permissions. So what the difference?
It's for when you want to allow arbitrary code to be executed in the
image, yet still protect the machine from harm. This happens when sharing
objects between images - an object could have malicious code attached. So
in that case, before running the code, we turn on the VM file sandbox via
the SecurityPlugin. This ensures that the image can only access files in a
sandbox directory but not outside. But it only works if the FilePlugin is
the only way to access files - meaning FFI and OSProcess etc. must be
disabled, and there must not be another way to create file handles.
So IMHO, if the goal is to get a raw handle for using in FFI, then that's
okay, since all security goes out the door as soon as FFI is enabled
anyway. And if FFI is not enabled, then the raw file handle isn't useful,
so there is no need to restrict read-access to it. Or am I missing
TL;DR read-only access to raw file handle may not be a security issue.
- Bert -
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vm-dev