Safety: ptrace, seccomp, whitelists/blacklists

Question

Safety: ptrace, seccomp, whitelists/blacklists

jnovek opened this issue 3 years ago · comments

You're on Hacker News this morning: `https://news.ycombinator.com/item?id=26644110

Regarding safety issues users on HN have suggested using ptrace to intercept syscalls to simulate commands like "rm" and "dd". This seems like it might lead to some frustrating edge cases, though. Especially if you're trying to support MacOS and Linux.

https://news.ycombinator.com/item?id=26644508

Another user suggested using the seccomp syscall in Linux, pledge in BSD to disallow writes from the UP process.

https://news.ycombinator.com/item?id=26644319

Finally another user suggested using blacklists/whitelists to disallow certain destructive executables.

https://news.ycombinator.com/item?id=26644442

I think all three of these are good ideas with varying levels of complexity. It would protect users who don't realize that this tool can be destructive (or those of us who are absentminded) and perhaps make it possible to use a live search mode again.

Diego Mesa · Answer 1 · Wed Mar 31 2021 23:03:51 GMT+0800 (China Standard Time)

There was a related (though not duplicate) discussion in #8

Jason Novek · Answer 2 · Thu Apr 01 2021 00:01:37 GMT+0800 (China Standard Time)

Using ptrace or seccomp seem to be new (but likely rather fiddly) additions to the list of potential read-only tools.

I only speak a little golang but it seems to me like using seccomp is a promising avenue because there is an actively maintained lib for interacting with it.

https://github.com/seccomp/libseccomp-golang

I think I'm going to dig through the docs for the fun of it.

This is pretty far afield of my normal experience, sorry if this suggestion is totally stupid. :-)

Mateusz Czapliński · Answer 3 · Thu Apr 01 2021 03:32:20 GMT+0800 (China Standard Time)

As @diego898 mentioned, some comments in #8 might be worth a look (not all of them, the very initial version of up was somewhat different and executed the pipeline on every keystroke, not just on Enter, and this topic is mixed a lot in that thread).

A few more random comments in the wiki (though I didn't give the wiki as a whole the love it deserves...).
A subthread about some related challenges from another person in today's discussion on HN
As to whitelists, as far as I'm aware, some flags on seemingly innocent commands can still be dangerous; so I'm personally not sold on it, and would be afraid of lulling users into a false sense of security; for now I prefer to leave the responsibility on them, and with Enter as the "execute" key, to me it doesn't feel much different from a regular shell prompt in this aspect.
Another HN subthread about a 'maybe' tool that could possibly do something related (or not?), and my reply that one could try playing with $SHELL to wire 'maybe' to up, potentially.

@jnovek I will certainly not work on that myself, but if you're interested in experimenting, I will try to be at least helpful from the up side of things :) [I'm kinda having a lot on my plate now, and still haven't regained all of my "mojo" towards up after releasing it, but I love interesting ideas, and this one for sure is :) I feel I would find fun in watching where you might get here :) and if you're stubbornly curious enough, I know by myself you might get amazingly far :)]