Wrote a privilege separated fib implementation (fib_priv_sep.c).
Pretty basic separation as the program is trivial. In the later cp example I did privilege separate the arguments, but I didn’t for the purpose of fib. Starting to build up a structure. The files are structured to have a main implementation reminiscent of the eventual shim, while the functions like real_main would come from the eventual binary."><metaname=authorcontent="Jake Hillion"><linkrel=canonicalhref=https://blog.hillion.co.uk/posts/weekly-2022-01-31/><linkcrossorigin=anonymoushref=/assets/css/stylesheet.min.48a18943c2fc15c38a372b8dde1f5e5dc0bc64fa6cb90f5a817d2f8c76b7f3ae.cssintegrity="sha256-SKGJQ8L8FcOKNyuN3h9eXcC8ZPpsuQ9agX0vjHa3864="rel="preload stylesheet"as=style><scriptdefercrossorigin=anonymoussrc=/assets/js/highlight.min.b95bacdc39e37a332a9f883b1e78be4abc1fdca2bc1f2641f55e3cd3dabd4d61.jsintegrity="sha256-uVus3DnjejMqn4g7Hni+Srwf3KK8HyZB9V4809q9TWE="onload=hljs.initHighlightingOnLoad()></script>
<script>vardoNotTrack=!1;if(!doNotTrack){window.dataLayer=window.dataLayer||[];functiongtag(){dataLayer.push(arguments)}gtag("js",newDate),gtag("config","G-4CXXF49E7M",{anonymize_ip:!1})}</script><metaproperty="og:title"content="Jake's Weekly - 31st Jan 2022"><metaproperty="og:description"content="ResearchProjectProcessIsolationBuiltthreeprivilegeseparatedtestapplications.
Wrote a privilege separated fib implementation (fib_priv_sep.c).
Pretty basic separation as the program is trivial. In the later cp example I did privilege separate the arguments, but I didn’t for the purpose of fib. Starting to build up a structure. The files are structured to have a main implementation reminiscent of the eventual shim, while the functions like real_main would come from the eventual binary."><metaproperty="og:type"content="article"><metaproperty="og:url"content="https://blog.hillion.co.uk/posts/weekly-2022-01-31/"><metaproperty="article:section"content="posts"><metaproperty="article:published_time"content="2022-01-31T11:00:00+00:00"><metaproperty="article:modified_time"content="2022-01-31T11:00:00+00:00"><metaproperty="og:site_name"content="Jake Hillion"><metaname=twitter:cardcontent="summary"><metaname=twitter:titlecontent="Jake's Weekly - 31st Jan 2022"><metaname=twitter:descriptioncontent="ResearchProjectProcessIsolationBuiltthreeprivilegeseparatedtestapplications.
Wrote a privilege separated fib implementation (fib_priv_sep.c).
Pretty basic separation as the program is trivial. In the later cp example I did privilege separate the arguments, but I didn’t for the purpose of fib. Starting to build up a structure. The files are structured to have a main implementation reminiscent of the eventual shim, while the functions like real_main would come from the eventual binary."><scripttype=application/ld+json>{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Posts","item":"https://blog.hillion.co.uk/posts/"},{"@type":"ListItem","position":2,"name":"Jake's Weekly - 31st Jan 2022","item":"https://blog.hillion.co.uk/posts/weekly-2022-01-31/"}]}</script><scripttype=application/ld+json>{"@context":"https://schema.org","@type":"BlogPosting","headline":"Jake'sWeekly-31stJan2022","name":"Jake\u0027sWeekly-31stJan2022","description":"ResearchProjectProcessIsolationBuiltthreeprivilegeseparatedtestapplications.\nWroteaprivilegeseparatedfibimplementation(fib_priv_sep.c).\nPrettybasicseparationastheprogramistrivial.InthelatercpexampleIdidprivilegeseparatethearguments,butIdidn\u0026rsquo;tforthepurposeoffib.Startingtobuildupastructure.Thefilesarestructuredtohaveamainimplementationreminiscentoftheeventualshim,whilethefunctionslikereal_mainwouldcomefromtheeventualbinary.","keywords":[],"articleBody":"ResearchProjectProcessIsolationBuiltthreeprivilegeseparatedtestapplications.\nWroteaprivilegeseparatedfibimplementation(fib_priv_sep.c).\nPrettybasicseparationastheprogramistrivial.InthelatercpexampleIdidprivilegeseparatethearguments,butIdidn’tforthepurposeoffib.Startingtobuildupastructure.Thefilesarestructuredtohaveamainimplementationreminiscentoftheeventualshim,whilethefunctionslikereal_mainwouldcomefromtheeventualbinary.Wroteaprivilegeseparatedechoimplementation(echo_priv_sep.c).\nThisbringsinsomeofthemoreadvancedideaslikeIPC.CurrentlyI’musingpipestopassthefdsbetweenprocesses.Anotheradvancedideainthisprogramistheideathattheshimwillneedtospinuplongrunning“broker”processes.Properprocessseparationintheechoapplicationrequirestheabilitytospinupnewprocessesondemand.Thisapplicationshowshowthatcanbedone.Awell-privilegedclonedprocessisspunup,andapipecreatedtothatforcarryingargumentstotheunprivilegedprocess.Thisprocessusesitsprivilegetospinupnewprocessesforeachchildrequest(inthiscase,perTCPflow).UsesCLONE_FStokeepthefiledescriptortablessyncedincertaincircumstancesbutnotothers.Stillsharessomefdsthatitcouldnotthough(duetocopy-on-write).Wroteaprivilegeseparatedcpimplementation(cp_priv_sep.c).\nThecpimplementationmainlyfocusesonseparatingouttheargumentprocessing,somethingnotdoneineitheroftheothers.Thisisn’tparticularlywellsuitedtoC,asit’snon-trivialtoserializeanddeserializethingsintopipes.Anotheralternativeissharingvirtualmemorydownandthenworkingfromthere.Fornow,I’msharingastructwithacoupleofpointers.UpNextIthinkthebestgoalistotryandturntheseCsamplesintosomethingmoregeneral.Therearethreemainpartssofar:\nMultipleentry-pointsindifferentprocesseswithdifferentclonespecs.IPC.Brokerprocessestospawnmorelateron.Fornow,Ithinkthemostusefulthingwillbeashimwhichtakesanexternalspec.ThefinalgoalistopullthisfromtheELFandincorporateitinthebinary,butfornowsomethingsimplelikeJSONwouldbeeasiertoworkwith.\nModulesIntroductiontoSystemsResearchReadExokernel(Engleretal.,1995),Multikernel(Baumannetal.,2009)andUnikernel(Madhavapeddyetal.,2013).ReviewedMultikernel.Someinterestingideas,andaparticularthemewasthatalloftheauthorsappeartothinkthatusersofoperatingsystemsthinklikesystemsprogrammers.Somethingtobeawareofinthisprojectto
<spanclass=logo-switches><buttonid=theme-toggleaccesskey=ttitle="(Alt + T)"><svgid="moon"xmlns="http://www.w3.org/2000/svg"width="24"height="24"viewBox="0 0 24 24"fill="none"stroke="currentcolor"stroke-width="2"stroke-linecap="round"stroke-linejoin="round"><pathd="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svgid="sun"xmlns="http://www.w3.org/2000/svg"width="24"height="24"viewBox="0 0 24 24"fill="none"stroke="currentcolor"stroke-width="2"stroke-linecap="round"stroke-linejoin="round"><circlecx="12"cy="12"r="5"/><linex1="12"y1="1"x2="12"y2="3"/><linex1="12"y1="21"x2="12"y2="23"/><linex1="4.22"y1="4.22"x2="5.64"y2="5.64"/><linex1="18.36"y1="18.36"x2="19.78"y2="19.78"/><linex1="1"y1="12"x2="3"y2="12"/><linex1="21"y1="12"x2="23"y2="12"/><linex1="4.22"y1="19.78"x2="5.64"y2="18.36"/><linex1="18.36"y1="5.64"x2="19.78"y2="4.22"/></svg></button></span></div><ulid=menu><li><ahref=https://blog.hillion.co.uk/categories/title=categories><span>categories</span></a></li><li><ahref=https://blog.hillion.co.uk/tags/title=tags><span>tags</span></a></li></ul></nav></header><mainclass=main><articleclass=post-single><headerclass=post-header><divclass=breadcrumbs><ahref=https://blog.hillion.co.uk/>Home</a> » <ahref=https://blog.hillion.co.uk/posts/>Posts</a></div><h1class=post-title>Jake's Weekly - 31st Jan 2022</h1><divclass=post-meta><spantitle='2022-01-31 11:00:00 +0000 UTC'>January 31, 2022</span> · 3 min · Jake Hillion</div></header><divclass=post-content><h2id=research-project>Research Project<ahiddenclass=anchoraria-hidden=truehref=#research-project>#</a></h2><h3id=process-isolation>Process Isolation<ahiddenclass=anchoraria-hidden=truehref=#process-isolation>#</a></h3><ul><li><p>Built three privilege separated test applications.</p></li><li><p>Wrote a privilege separated fib implementation (<ahref=https://gitea.hillion.co.uk/JakeHillion/ocaml-cgroups2/src/branch/main/examples/fib/fib_priv_sep.c>fib_priv_sep.c</a>).</p><ul><li>Pretty basic separation as the program is trivial. In the later cp example I did privilege separate the arguments, but I didn’t for the purpose of fib.</li><li>Starting to build up a structure. The files are structured to have a <code>main</code> implementation reminiscent of the eventual shim, while the functions like <code>real_main</code> would come from the eventual binary.</li></ul></li><li><p>Wrote a privilege separated echo implementation (<ahref=https://gitea.hillion.co.uk/JakeHillion/ocaml-cgroups2/src/branch/main/examples/echo/echo_priv_sep.c>echo_priv_sep.c</a>).</p><ul><li>This brings in some of the more advanced ideas like IPC. Currently I’m using pipes to pass the fds between processes.</li><li>Another advanced idea in this program is the idea that the shim will need to spin up long running “broker” processes. Proper process separation in the echo application requires the ability to spin up new processes on demand. This application shows how that can be done.<ul><li>A well-privileged cloned process is spun up, and a pipe created to that for carrying arguments to the unprivileged process.</li><li>This process uses its privilege to spin up new processes for each child request (in this case, per TCP flow).</li></ul></li><li>Uses <code>CLONE_FS</code> to keep the file descriptor tables synced in certain circumstances but not others. Still shares some fds that it could not though (due to copy-on-write).</li></ul></li><li><p>Wrote a privilege separated cp implementation (<ahref=https://gitea.hillion.co.uk/JakeHillion/ocaml-cgroups2/src/branch/main/examples/cp/cp_priv_sep.c>cp_priv_sep.c</a>).</p><ul><li>The cp implementation mainly focuses on separating out the argument processing, something not done in either of the others. This isn’t particularly well suited to C, as it’s non-trivial to serialize and deserialize things into pipes. Another alternative is sharing virtual memory down and then working from there. For now, I’m sharing a stru
<ahref=https://git.io/hugopapermodrel=noopenertarget=_blank>PaperMod</a></span></footer><ahref=#toparia-label="go to top"title="Go to Top (Alt + G)"class=top-linkid=top-linkaccesskey=g><svgxmlns="http://www.w3.org/2000/svg"viewBox="0 0 12 6"fill="currentcolor"><pathd="M12 6H0l6-6z"/></svg></a><script>letmenu=document.getElementById("menu");menu&&(menu.scrollLeft=localStorage.getItem("menu-scroll-position"),menu.onscroll=function(){localStorage.setItem("menu-scroll-position",menu.scrollLeft)}),document.querySelectorAll('a[href^="#"]').forEach(e=>{e.addEventListener("click",function(e){e.preventDefault();vart=this.getAttribute("href").substr(1);window.matchMedia("(prefers-reduced-motion: reduce)").matches?document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView():document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView({behavior:"smooth"}),t==="top"?history.replaceState(null,null," "):history.pushState(null,null,`#${t}`)})})</script><script>varmybutton=document.getElementById("top-link");window.onscroll=function(){document.body.scrollTop>800||document.documentElement.scrollTop>800?(mybutton.style.visibility="visible",mybutton.style.opacity="1"):(mybutton.style.visibility="hidden",mybutton.style.opacity="0")}</script><script>document.getElementById("theme-toggle").addEventListener("click",()=>{document.body.className.includes("dark")?(document.body.classList.remove("dark"),localStorage.setItem("pref-theme","light")):(document.body.classList.add("dark"),localStorage.setItem("pref-theme","dark"))})</script></body></html>