idea: chroot :: FilePath -> IO a -> IO a

Alastair Reid
Mon, 21 Apr 2003 16:25:17 +0100

> I have the idea that we ought to be able to implement the equivalent
> of a unix chroot command, but all within the haskell IO monad.
> [...]
> As I see it, implementing such a function would require support in
> the IO monad (some of which may already be there?), since it would
> need to know for each primitive operation which arguments are file
> paths, plus whether that operation is even legal in a chroot
> environment.  Or perhaps it's the other way around, and every
> primitive operation would need to support chroot...

Implementing barriers of this kind requires that your code has a
"narrow waist".  That is, if you look at a callgraph for your system
(including libraries, runtime system, system calls and anything else
you have the option of changing), you need to find a small number of
edges in the callgraph which all relevant calls pass through.  If the
waist is not narrow, it is a huge amount of work to insert and
maintain all the tests and your chances of getting them all are pretty

Unfortunately, the foreign function interface is specifically designed
to make the IO monad be a very, very broad waist.  Every library is
free to add further IO operations.

Worse, functions like 'System.system' allow arbitrary strings to be
passed out of Haskell and interpreted there.  

Another problem is the unsafePerformIO function which could easily
result in code that is supposed to be protected by your chroot
function to be executed after the chroot call has finished.

I think your best bet is to catch problems at the system call
interface (either using the Unix chroot system call itself or by
interposing on calls to 'open').

Or, tackle the same problem in a different way by extending Haskell
with a datasource-tracking feature along the lines of taint perl.

Alastair Reid