"Namsun Ch'o" <namn...@safe-mail.net> writes:
>> Drawback: complexity. If we decide to limit ourselves to the original
>> threat model (rogue guest), and enter the sandbox only after setup, we
>> can keep things simpler.
>
> We could do both without much complexity. This looks simple enough to me:
>
> rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chroot), 1,
> SCMP_A0(SCMP_CMP_EQ, chroot_dir));
> if (rc < 0)
> goto seccomp_return;
>
> rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chdir), 1,
> SCMP_A0(SCMP_CMP_EQ, "/"));
> if (rc < 0)
> goto seccomp_return;
>
> The only time chroot_dir is ever used is in os-posix.c:139:
>
> if (chroot(chroot_dir) < 0) {
I'm afraid this materially weakens the sandbox. chroot_dir is writable.
We don't need to permit chroot(chroot_dir) if we enter the sandbox only
after setup.
