-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Safety: ptrace, seccomp, whitelists/blacklists #56
Comments
There was a related (though not duplicate) discussion in #8 |
Using ptrace or seccomp seem to be new (but likely rather fiddly) additions to the list of potential read-only tools. I only speak a little golang but it seems to me like using seccomp is a promising avenue because there is an actively maintained lib for interacting with it. https://github.com/seccomp/libseccomp-golang I think I'm going to dig through the docs for the fun of it. This is pretty far afield of my normal experience, sorry if this suggestion is totally stupid. :-) |
As @diego898 mentioned, some comments in #8 might be worth a look (not all of them, the very initial version of up was somewhat different and executed the pipeline on every keystroke, not just on Enter, and this topic is mixed a lot in that thread).
@jnovek I will certainly not work on that myself, but if you're interested in experimenting, I will try to be at least helpful from the up side of things :) [I'm kinda having a lot on my plate now, and still haven't regained all of my "mojo" towards up after releasing it, but I love interesting ideas, and this one for sure is :) I feel I would find fun in watching where you might get here :) and if you're stubbornly curious enough, I know by myself you might get amazingly far :)] |
You're on Hacker News this morning: `https://news.ycombinator.com/item?id=26644110
Regarding safety issues users on HN have suggested using ptrace to intercept syscalls to simulate commands like "rm" and "dd". This seems like it might lead to some frustrating edge cases, though. Especially if you're trying to support MacOS and Linux.
https://news.ycombinator.com/item?id=26644508
Another user suggested using the seccomp syscall in Linux, pledge in BSD to disallow writes from the UP process.
https://news.ycombinator.com/item?id=26644319
Finally another user suggested using blacklists/whitelists to disallow certain destructive executables.
https://news.ycombinator.com/item?id=26644442
I think all three of these are good ideas with varying levels of complexity. It would protect users who don't realize that this tool can be destructive (or those of us who are absentminded) and perhaps make it possible to use a live search mode again.
The text was updated successfully, but these errors were encountered: