about summary refs log tree commit diff stats
path: root/sandboxing
diff options
context:
space:
mode:
authorKartik K. Agaram <vc@akkartik.com>2021-12-25 08:49:52 -0800
committerKartik K. Agaram <vc@akkartik.com>2021-12-25 08:49:52 -0800
commit732903fc18effa9c48e4f68de55dae1a14b5754f (patch)
treeeb734902d579027baeb32b8efa598fafbd66a49f /sandboxing
parent1b25d58a4f6d7aab8065f848f3fb7327f91e3738 (diff)
downloadteliva-732903fc18effa9c48e4f68de55dae1a14b5754f.tar.gz
sandbox: record scenarios I've thought of so far
Diffstat (limited to 'sandboxing')
-rw-r--r--sandboxing/README.md28
1 files changed, 24 insertions, 4 deletions
diff --git a/sandboxing/README.md b/sandboxing/README.md
index 7e20d04..b816927 100644
--- a/sandboxing/README.md
+++ b/sandboxing/README.md
@@ -9,13 +9,33 @@ doesn't invoke any OS syscalls.
 
 Things to secure:
 * files opened (for read/write) on file system
-* what gets written to files on file system
+
 * destinations opened (for read/write) on network
   * `inet_tryconnect` // `socket_connect`
   * `inet_tryaccept` // `socket_accept`
-* what gets written to network
-  * `socket_send`, `socket_sendto`
-  * `socket_recv`, `socket_recvfrom`
+
+It seems more difficult to control what is written to a file or socket once
+it's opened. For starters let's just focus on the interfaces that convert a
+string path or url to a file descriptor.
+
+Scenarios:
+  * (1) app reads system files
+  * (1) app sends data to a remote server
+  * (2) app can read from a remote server but not write (POST)
+  * app gains access to a remote server for a legitimate purpose, reads
+    sensitive data from the local system file for legitimate purpose. Now
+    there's nothing preventing it from exfiltrating the sensitive data to the
+    remote server.
+    - (2) solution: make it obvious in the UI that granting both permissions
+      allows an app to do anything. Educate people to separate apps that read
+      sensitive data from apps that access remote servers.
+    - (2) solution: map phases within an app to distinct permission sets
+  * (3) app wants access to system() or exec()
+
+Difficulty levels
+  1. I have some sense of how to enforce this.
+  2. Seems vaguely doable.
+  3. Seems unlikely to be doable.
 
 ## Bottom up