Hello,

during the past days I've been working on a path sandbox which prevents
any user read or write access to specified directory prefixes. Initially
I worked on code of karltk which makes use of ptrace to trace the system
calls directly. Due to lack of documentation and obscure beviour I've
postponed the work on that version. I've therefor started the approach
of providing alternative implementations of all file functions that are
offered by glibc.

Attached is a first version of what I've come up with. After
de-archiving, build the library with 'make -f sandbox.makefile'. You
should quickly end up with a 'sandbox.so' file. Now just run the sandbox
by executing './sandbox'.

You should now be in the protected environment. Three environmental
variables control the behaviour of the sandbox :

SANDBOX_DENY  : path prefixes that deny access in every way
SANDBOX_READ  : path prefixes that only allow read
SANDBOX_WRITE : path prefixes that only allow write
Note that write permissions don't imply read premissions.

Seperate different entries in the regular way, with colons.
You can adapt the variables at any time, the sandbox adapts itself
dynamically.

Since a few shell utilities reset the LD_PRELOAD variable that is needed
for all this to work, I've created default aliases for 'make' and 'su'.
This should ensure that the default usage of these commands maintain the
protected environment. Probably there are other commands that behave
this way, but I haven't found them yet.

I hope this is of use and I'll start continue testing it and trying to
measure and enhance its performance.

Best regards,

Geert

-- 
Geert Bevin
the Leaf sprl/bvba
"Use what you need"           Pierre Theunisstraat 1/47
http://www.theleaf.be         1030 Brussels
gbevin@theleaf.be             Tel & Fax +32 2 241 19 98