LD_PRELOAD work in progress
Jamie Strandboge
jamie at canonical.com
Mon Mar 2 15:35:05 UTC 2015
On 03/02/2015 09:07 AM, Michael Terry wrote:
> Sorry, I've been distracted by unity8 work and holiday, but I'm coming back to
> this thread.
>
> So my original goal was to easily (and in shortish time frame) use archive debs
> in a very fat (non-phone) snap. Seems there are several possible ways to do
> that (this list is collated from this thread, looking largely at features
> instead of maintenance or security complexity):
>
Thanks for this!
> Overlayfs (currently blessed approach):
> - Won't work on android kernels without significant backport work on our end
>
- Won't (currently) work with apparmor without significant effort (LP: #1408106)
(this may not be as dire as that-- we are investigating new changes being made
upstream now and should know more this week. However, is isn't all rosy either--
we know upstream has plans to work better with LSMs, but it isn't implemented yet)
> LD_PRELOAD:
> - Is hairy to get right for all cases (many obscure low-level entry points that
> take a filename, pitti warns there are gaps)
> - App might make a direct ioctl calls that can't be intercepted
I'm somewhat confused by this: doesn't the ioctl(2) call take an open fd and
therefore we wouldn't need to do anything special for it?
> - Can't work for programs that statically-link glibc (which isn't so bad because
> those aren't likely to want to pull in other debs)
> - Won't work for set[ug]id programs (which isn't a problem for snappy use cases
> right now, I believe)
Correct. Apps can't ship setuid/setgid programs
> Aufs:
> - (out of my historical depth) Old competitor of overlayfs that we could
> resurrect in cases that overlayfs can't work, so there would be some maintenance
> work on our end to make this deprecated technology work again
- needs some apparmor changes to work correctly
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150302/433a0e91/attachment.pgp>
More information about the snappy-devel
mailing list