Conversation with #inferno at Mon Mar 25 05:59:07 2013 on powerman@irc.freenode.net (irc) (05:59:07) #inferno: Topic for #inferno set by mennis at 17:30:16 on 12/28/09 (05:59:25) leetspete: Anyone heard of any fun tricks for disallowing access to '#U*/'? 'pctl nodevs' breaks lots of things (acme, charon, etc.) but I really just need to break access to the host fs. (06:01:04) powerman: leetspete: maybe it's possible to build emu without #U driver at all (06:01:25) leetspete: 'devcmd.c' was easy enough to exclude from getting built into emu, but I get build errors if I try to get rid of devfs.c. (06:03:40) powerman: patch the driver to return error on access? (06:04:07) leetspete: I think it's the same driver used to bind $ROOT into Inferno's namespace, so... (06:04:36) powerman: nodevs designed to run small untrusted code in sandbox, not to run overall OS with wm and acme, I think (06:06:02) leetspete: Yeah...if I'm going to allow public access, then I think I need to stop access to '#U*/', though. (06:06:02) powerman: yes, it include $ROOT, but only when used without spec: '#U'. if used as '#Uanything' you can return error without breaking access to $ROOT (06:06:51) powerman: also you can run emu in host os jail/chroot (06:09:24) leetspete: powerman: BRILLIANT! fsattach() returns Ebadspec after doing some checks. There's even already a check in devfs-posix.c for emptystr(spec)! (06:11:33) leetspete: powerman: It worked!! (06:11:39) powerman: cool (06:12:08) leetspete: Thanks so much. I have been doing nonsense with chroot() and nodevs and all sorts of things. (06:12:28) leetspete: This actually does exactly the thing I am trying to do. (06:23:00) leetspete: I guess if anyone's curious and for logs and posterity and whatnot, in devfs-posix.c, in fsattach: (06:24:18) leetspete: "if(!emptystr(spec) && strcmp(spec, "*") != 0) error(Ebadspec);" -> "if(!emptystr(spec) /*&& strcmp(spec, "*") != 0*/) error(Ebadspec);" (06:29:25) The account has disconnected and you are no longer in this chat. You will automatically rejoin the chat when the account reconnects.