[OLPC Security] Some progress today
Michael Stone
michael at laptop.org
Wed Oct 31 16:20:33 EDT 2007
On Wed, Oct 31, 2007 at 04:04:45PM -0400, Marcus Leech wrote:
> I was able to get Terminal to run with the simple expedient of mounting
> home/olpc rw in the island environment.
Ah hah. We should file a bug against Terminal describing the state of
its non-compliance.
> But also, network access wasn't there. That is, eth0 was there, but
> only partially, and it didn't have an IP address.
> That's fine (possibly) for Terminal, but other apps with *legitimate*
> need for network access will fail.
This is exactly what the source code at stages/sugar.py:begin()
indicates should happen when it sets "net_caps" to "None".
Defining net_caps to be something true-ish will enable network access
for the program being launched.
> I tried Web, and it started executing then died with a SIGSEGV.
>
> I tried TamTamJam, and it died after trying to get at the network and
> failing. It looks like PF_INET isn't suppored in the
> container unless it's turned on explicitly (associated with a network
> context?).
The simplest way to allow networking is to simply not enter the network
context. This is what setting net_caps to a true-ish object accomplishes.
The other mechanism is to use the add an IP address to the net_ctx
object created in stages/activation.py:launch() using its add_address()
method.
Michael
More information about the Security
mailing list