Comments (16)
The two key things that probably should be done regardless if we even want to start considering this:
- (a) forbid loadLibrary calls by default,
- (b) make reflection/MethodHandles only work through a Loader-defined interface which ensures you don't overstep your boundaries and reflect into the JVM (and, convienently, handles remapping? :D).
That way, we bump the amount of effort to getting non-JVM-controlled code running significantly, requiring an exploit in the JVM, LWJGL or STB libraries.
from fabric-loader.
So discussion with Player on this. It sounds like a simple idea but it could cause issues:
Easily bypassed with unsafe, asm, badly made natives. So it only guards anything but the most naive cases. Also I have heard that apparently openjdk is considering dropping some of the security stuff in future versions or delegating it behind a command line argument.
The suggested solution here is to encourage use of a proper sandboxing solution on OS level for security and other user action. Mods are just like any other software. You have the same risks running an exe vs a mod.
from fabric-loader.
I don't see much of a point tbh. Perhaps for network activity but not much else
from fabric-loader.
If it did any more than asie suggested, I suspect it would cause more trouble than it's worth. An in-depth permissions and sandboxing system would probably confuse users, irritate modders, and eat a lot of development time (sandboxing is notoriously difficult, to my knowledge).
I don't think malicious mods are enough of a problem to call for this. The incident with Tinkers is the only significant malware incident I'm aware of. Most malware mods are found on rehosting sites, and are infected copies of safe mods. Safe mods are almost all hosted on CurseForge. It's probably more effective to educate users about safe download locations, and potentially encourage signing mod .jars, so copies that have been tampered with can be identified (I think this is easier than sandboxing?).
from fabric-loader.
Are there any documented incidents where a permission module would have helped?
from fabric-loader.
Malware has been developed for Minecraft and distributed in mods mirrored on websites. A year or two back there was one for Tinker's that dropped executable to disk and ran them outside of the sandbox.
from fabric-loader.
I'd say many of those reach a bit far; generally, I think we would only want to block things which go beyond the Minecraft engine's area of interest (access outside of gameDir/accessDir, raw fs/network/uncontrolled reflection, but not necessarily having configs or general data storage).
from fabric-loader.
Could also just set it up so that only signed jars are allowed to do "dangerous" things as well.
from fabric-loader.
Honestly I don’t think it’s needed, as it’s almost impossible to make it secure. People will find ways to get around it.
I could work better in a way where a mod says what it plans to do and asks the user if they are happy with it. But fabric would not enforce it.
from fabric-loader.
Just a reminder that some mods (e.g. PSI) like to put global config files outside the game directory, so refusing filesystem access could be quite annoying.
from fabric-loader.
I've started looking into it. A notable thing to make sure of is that there's a way to make (a) and (b) only apply to modded code and not Minecraft/library code (Gson, LWJGL, etc.) - it appears the most likely way is via (slow) stacktrace lookups. It remains to be seen how big an effect that has on performance (that is, how often both use methods such as .setAccessible(true) which propagate into a security check).
from fabric-loader.
What about ProtectionDomains?
from fabric-loader.
Didn't come to mind! I'll test it and see what happens.
from fabric-loader.
Yeah, you are supposed to use those. Part of the JVM and allows for faster access checks. :-P
from fabric-loader.
I like the idea of only allowing signed jars to do anything potentially dangerous
from fabric-loader.
Code permission/sandboxing is definitely a potential role of fabric loader (as this stuff may be mixin/entrypoint related); we should list clearly what we desire to accomplish (e.g. block access to parent directory of game dir; signature verification).
from fabric-loader.
Related Issues (20)
- I'm having a crash issues with 1.21 HOT 1
- Uncaught exception in thread "main"
- Droplets measurement making datapack incompatible HOT 3
- Backend library: LWJGL version does not always match vanilla output HOT 5
- Depedency overrides do not override existing depedency constratains.
- FabricLoader#getGameDir can return invalid path when using dedicated server HOT 2
- FABRIC CRASH
- Uncaught exception in thread "main" HOT 1
- Crash problem: Ticking player
- fabric crashes when opening with error code: 1 HOT 1
- Errors in Minecraft Fabric 1.21
- Debugging option to list mods with an access widener for items
- No-launcher: JOptSimple: Found multiple arguments HOT 1
- [Feature] FMJ Spec API
- Fabric Loader V 0.16.0 does not appear to accept `name=` for `@ModifyVariable` nor `@Local` HOT 2
- Fabric Loader tries to read a .pom file as a zip file HOT 2
- I play server on version 1.21 but after playing for a while I left the text network protocol errorserver with text HOT 2
- server mixin loaded on physical client HOT 1
- Help my game looks like this and my mods not working HOT 1
- [Bug] Content may be printed to the console with incorrect encoding HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fabric-loader.