Limitations of Plash
- Plash does not address resource accounting or denial of service. Sandboxed processes can consume memory, disc space and CPU.
- Plash does not address revocation.
- Plash does not have a way to revoke file descriptors that have been passed to sandboxed processes. Linux's new revoke() system call is not adequate for this purpose because it revokes all file descriptors that refer to an inode. Ideally there should be a way to create revokable proxies for file descriptors.
Plash does not restrict network access. It does not stop sandboxed processes communicating with each other. This is a limitation of ChrootSetuidJail.
Granting access to the X Window System is all-or-nothing. See X11Security.
Plash does not implement the following features that are normally available under Linux:
- /proc/self. The most commonly used part of /proc/self is /proc/self/fd.
Setuid executables. This omission is deliberate. Plash does not do access control on the basis of UIDs/GIDs. Plash provides ExecutableObjects as a replacement feature.