Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kernel+Userland: Add a prctl option to enter jail mode until a call to the execve syscall #24926

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Kernel+Userland: Add a prctl option to enter jail mode until a call to the execve syscall #24926

wants to merge 4 commits into from

Conversation

supercomputer7
Copy link
Member

Resolves #24913.

@supercomputer7 supercomputer7 marked this pull request as ready for review August 13, 2024 03:38
@github-actions github-actions bot added the 👀 pr-needs-review PR needs review from a maintainer or community member label Aug 13, 2024
timschumi
timschumi reviewed Sep 1, 2024
View reviewed changes
Kernel/Tasks/Process.h Outdated Show resolved Hide resolved
@supercomputer7
Kernel+Userland: Rename jailed => jailed_until_exit
39c627f 
In all instances, it should be clear that the jailing of a process is
ending when the process exits.

This is a preparation before introducing another option to set a process
as jailed until it calls the execve syscall.
@supercomputer7
Kernel: Add a prctl option to enter jail mode until an execve syscall
5effd89 
In addition to the already existing option to enter jail mode (which is
set indefinitely), there should be a less restrictive option that should
allow exiting jail mode when doing the execve syscall.

This option will be useful for programs that need this kind of security
layer only in their runtime, but they're meant to actually initiate
another program in the end.
@supercomputer7
LibCore: Add a method to jail a program until calling the execve syscall
ca5680b 
This will be used later on, within the Assistant program.
@supercomputer7
Assistant: Enter jail mode until calling the execve syscall
2ab2648 
Otherwise, programs will inherit the jailing property which might lead
to undesired behavior (such as `Terminal` running jailed `Shell`, for
example).
timschumi
timschumi requested changes Sep 9, 2024
View reviewed changes
Documentation/Kernel/Containers.md
Comment on lines 63 to +64

When the user process is jailed, it can't create or attach to other resources.
When the user process is jailed **until exit**, it can't create or attach to other resources.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be in the previous commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timschumi timschumi timschumi requested changes

Assignees
No one assigned
Labels
ci-flakiness 👀 pr-needs-review PR needs review from a maintainer or community member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Assistant: Terminal is launched in jail mode
2 participants
@supercomputer7 @timschumi