In RFC353, I totally missed some of the problems with implementation. In
fact, what may actually be needed (with shared library code, in
particular) is that using the sandbox system causes a fork, and then the
child is ptrace()d by the parent perl process. This of course traps every
possible system call, but makes the whole thing run like a pig through
mud. :( Maybe this isn't going to be such a good idea after all. :( (and
also doesn't work wonderfully on systems without a fork() or a ptrace()).
The other option is to try and provide an LD_PRELOAD, but then someone
with knowledge of a particular system can execute the syscalls by
providing appropriate assembler traps.
Of course restricting the loading of .so code might be possible as part of
the sandbox, but then you may stop the loading of the module you actually
want to use.
Unfortunate that Perl's beautiful flexibility in this area is what makes
it hard to secure. :/
MBM
--
Doing linear scans over an associative array is like trying to club
someone to death with a loaded Uzi. -- Larry Wall
