DNS lookups inside a chroot

Jordan K. Hubbard jkh at apple.com
Mon Apr 18 16:18:00 PDT 2011


On Apr 18, 2011, at 3:42 AM, Rainer Müller wrote:

> Trace mode relies on DYLD_INSERT_LIBRARIES being passed to children in
> the environment. Then the loader overrides the syscall wrappers from
> libSystem with our own implementation.
> 
> From a security perspective it would be quite easy to break out of this.

Well, from a security perspective, you can also break out of a chroot easily enough, which is why FreeBSD enhanced chroot to the point where they now have "jails" which disallow a number of other key chroot-breakout operations, even when done as root.

What I thought we were talking about here was the ability to do host/target isolation, where you can build against a specific set of target commands and libraries without the host "polluting" the build environment (or, in turn, getting polluted *by* the build process).  This could be done with a manifest ("pull these files/directories from the host environment") which trace mode respects, either denying access to other read requests ("Sorry, autoconf, but I'm not letting you see the optional software on the host") or creating copies for the read/write case (obviously, newly created files would always end up in the "shadow location").

In other words, I don't think that security is or should be the goal of the trace mode enhancements I'm describing, it should be reproducibility and reliability.

- Jordan



More information about the macports-dev mailing list