<div dir="ltr"><div dir="ltr">Am Do., 22. Apr. 2021 um 21:29 Uhr schrieb Joachim Durchholz <<a href="mailto:jo@durchholz.org">jo@durchholz.org</a>>:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">True, but the semantics behind each syscall can be horrendously complex. [...]<br></blockquote><div><br></div><div>That's correct, but a sandbox doesn't need to implement all of it. Checking that e.g. only something below a given directory can be opened (perhaps e.g. only for reading) is relatively easy, prohibiting creation of sockets, limiting the amount of memory which can be mmapped (and how), etc. etc.</div><div><br></div><div>I can hardly imagine what could be considered "safe" for a program which can use all of e.g. POSIX.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
That's why you can have a sandbox and this still doesn't protect you <br>
from symlink timing attacks on /tmp [...]</blockquote><div><br></div><div>Well, if it is *your* sandbox and some processes from outside the sandbox can change its contents arbitrarily, then you have more security issues than simple symlink attacks.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Instead you have to make sure that all software uses mktemp instead of <br>
doing nonatomic file creation&opening. [...]<br></blockquote><div><br></div><div>Nope, one has just to make sure that the sandboxes are isolated. This is relatively easy on the syscall level (e.g. simulating "your" own /tmp etc.).</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Except that there is no such thing as an inherently safe syscall <br>
interface, there are unsafe ways to use it.<br></blockquote><div><br></div><div>And that's exactly the reason why you don't give the full power of all syscalls to a sandboxed program.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">And that's where language-based safety can help. [...]<br></blockquote><div><br></div><div>Only if *all* of your program is written in that single language, which is hardly the case for every non-toy program: Sooner or later you call out to a C library, and then all bets are off.</div><div><br></div><div>In general: I think all security-related discussions are futile unless one precisely defines what is considered a threat and what is considered to be safe. And I think we agree to disagree here. :-)</div><div> <br></div></div></div>