From 202c2b03bc63d9028b6b3e268b2ac53029180a9d Mon Sep 17 00:00:00 2001 From: Chris Dance Date: Wed, 3 Apr 2013 13:19:33 +1200 Subject: [PATCH] Readme update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit  - reference to what else the sandbox restricts. --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 389a5d6..bd817df 100644 --- a/README.md +++ b/README.md @@ -78,9 +78,9 @@ with the following known exceptions: ##How it works ```gswin32c-trapped.exe``` first determines a whitelist of resources required to perform the conversion. It then -execs a child process within a sandbox to perform the task. The whitelist of resources is dynamically -constructed by determining the input file and output file/directory from the supplied command-line arguments. -The Ghostscript interpreter code may only access: +execs a child process within a strongly contained sandbox to perform the task. The whitelist of allowed resources +is dynamically constructed by determining the input file and output file/directory from the supplied +command-line arguments. The Ghostscript interpreter's access rights is restricted and it may only access: * Read only access to the Windows Fonts directory. * Read only access to application-level registry keys (HKLM\Software\GPL Ghostscript). @@ -89,6 +89,9 @@ The Ghostscript interpreter code may only access: * Write access to the user-level Temp directory. * Write access to the output directory (OutputFile). +The sandbox also constrains the execution process on an isolated desktop session to prevent +[shatter attacks](http://en.wikipedia.org/wiki/Shatter_attack") and limits IPC and other potential +escape vectors. ##Release History