LD_PRELOAD work in progress
Jamie Strandboge
jamie at canonical.com
Thu Feb 26 19:01:31 UTC 2015
On 02/26/2015 12:31 PM, Steve Langasek wrote:
> On Wed, Feb 25, 2015 at 11:43:44AM -0600, Jamie Strandboge wrote:
>> So, thinking about what overlayfs is trying to solve more-- there are really
>> three things that could be in the overlay area:
>> * libraries
>> * executables
>> * data files
>
>> There are essentially two things that we've thus far been thinking about that
>> may use overlays:
>> * apps that reuse existing debs
>> * frameworks
>
> This formulation seems to suggest that frameworks would not reuse existing
> debs. But we have at least one case where we're trying to enable exactly
> that, namely comfy. How does that map to your model?
>
I didn't mean to suggest that per se, but I've always thought of comfy as
something different: eg, a way to extend the system with useful tools but that
other snaps wouldn't depend on. Certainly this is delivered as a snap, but I'm
not sure if this is a normal snap with unconfined security policy for each
binary or a special snap with no security policy attached to it.
We've defined frameworks (and yes, I realize this hasn't hit the public list
yet-- that is something I need to pick up) as: "frameworks exist primarily to
provide mediation of shared resources (eg, ports, device files, sensors,
cameras, etc)" and "frameworks are tightly coupled with separately maintained
security policies that extend the security policy available to apps consuming a
framework". This doesn't work with comfy-- eg, if comfy provides vim, and vim
requires rw to everything on the system, and vim allows scripting, and a snap is
allowed to use vim under vim's policy, then the snap can break out of confinement.
But to your point about (non-comfy) frameworks, because frameworks need to be
defined so specially, I imagine in practice they wouldn't use a lot of existing
debs, but I don't see why they couldn't if they really wanted to.
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150226/a06ebf9d/attachment.pgp>
More information about the snappy-devel
mailing list