Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Safety: ptrace, seccomp, whitelists/blacklists #56

Open
jnovek opened this issue Mar 31, 2021 · 3 comments
Open

Safety: ptrace, seccomp, whitelists/blacklists #56

jnovek opened this issue Mar 31, 2021 · 3 comments
Labels
🤕 help wanted A headache for maintainer(s) 💡 spark Inspiring idea though not immediately planned

Comments

@jnovek
Copy link

jnovek commented Mar 31, 2021

You're on Hacker News this morning: `https://news.ycombinator.com/item?id=26644110

Regarding safety issues users on HN have suggested using ptrace to intercept syscalls to simulate commands like "rm" and "dd". This seems like it might lead to some frustrating edge cases, though. Especially if you're trying to support MacOS and Linux.

https://news.ycombinator.com/item?id=26644508

Another user suggested using the seccomp syscall in Linux, pledge in BSD to disallow writes from the UP process.

https://news.ycombinator.com/item?id=26644319

Finally another user suggested using blacklists/whitelists to disallow certain destructive executables.

https://news.ycombinator.com/item?id=26644442

I think all three of these are good ideas with varying levels of complexity. It would protect users who don't realize that this tool can be destructive (or those of us who are absentminded) and perhaps make it possible to use a live search mode again.

@diego898
Copy link

There was a related (though not duplicate) discussion in #8

@jnovek
Copy link
Author

jnovek commented Mar 31, 2021

Using ptrace or seccomp seem to be new (but likely rather fiddly) additions to the list of potential read-only tools.

I only speak a little golang but it seems to me like using seccomp is a promising avenue because there is an actively maintained lib for interacting with it.

https://github.com/seccomp/libseccomp-golang

I think I'm going to dig through the docs for the fun of it.

This is pretty far afield of my normal experience, sorry if this suggestion is totally stupid. :-)

@akavel akavel added 💡 spark Inspiring idea though not immediately planned 🤕 help wanted A headache for maintainer(s) labels Mar 31, 2021
@akavel
Copy link
Owner

akavel commented Mar 31, 2021

As @diego898 mentioned, some comments in #8 might be worth a look (not all of them, the very initial version of up was somewhat different and executed the pipeline on every keystroke, not just on Enter, and this topic is mixed a lot in that thread).

@jnovek I will certainly not work on that myself, but if you're interested in experimenting, I will try to be at least helpful from the up side of things :) [I'm kinda having a lot on my plate now, and still haven't regained all of my "mojo" towards up after releasing it, but I love interesting ideas, and this one for sure is :) I feel I would find fun in watching where you might get here :) and if you're stubbornly curious enough, I know by myself you might get amazingly far :)]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🤕 help wanted A headache for maintainer(s) 💡 spark Inspiring idea though not immediately planned
Projects
None yet
Development

No branches or pull requests

3 participants