disable #include (new branch)

[mgranberry]

This patch disables all file-reading preprocessor directives (that I know of) to improve security for the online clang instance.

[krasin]

Testing...

[krasin]

It appears that Clang tests are broken, see #5.
I will fix them tomorrow and merge this CL.

In the unlikely case that I would forget about it, please, ping me.

[krasin]

I have sent a fix for #5 (see #6).

Regarding to this CL: I have thought a bit and it seems that instead of maintaining a branch for this feature, it would be better to put it behind a flag, like -disable-include-directive or something like that.

@yrrebnarg Do you think it's a good idea? Would it be more convenient to you than two different DCPU16 Clangs (from dcpu16 and online branches)? If yes, I'm fine to implement a flag and adapt your patch.

[krasin]

In the long term, I think that using seccomp "mode 2" is the preferred way to isolate Clang from the rest of the system. Ubuntu 12.04 already supports it and the upstream kernel will hopefully get it in 3.5.

[mgranberry]

I agree that maintaining a separate branch seems like a lot of work. I'm personally comfortable leaving a cross-compiling Clang running in an empty chrooted jail.

On Friday, April 20, 2012 at 5:28 PM, krasin wrote:

In the long term, I think that using seccomp "mode 2" is the preferred way to isolate Clang from the rest of the system. Ubuntu 12.04 already supports it and the upstream kernel will hopefully get it in 3.5.

---

Reply to this email directly or view it on GitHub:
#4 (comment)