DNS lookups inside a chroot
Rainer Müller
raimue at macports.org
Mon Apr 18 03:42:29 PDT 2011
On 04/17/2011 11:25 PM, Jordan K. Hubbard wrote:
> Perhaps a better idea would be to enhance trace mode such that it
> "faults in" stuff on demand into a run-specific staging area.
> Read-only opens of the files in the system would succeed, of course,
> it being only creations or rw/append opens which forced the copy,
> which means it wouldn't run all that slowly either. What's the
> current behavior of trace mode across fork/exec boundaries? Do the
> children get the properly interposed library such that they're also
> talking to the trace bits rather than the filesystem APIs directly?
Trace mode relies on DYLD_INSERT_LIBRARIES being passed to children in
the environment. Then the loader overrides the syscall wrappers from
libSystem with our own implementation.
>From a security perspective it would be quite easy to break out of this.
Rainer
More information about the macports-dev
mailing list