On tis, 2015-02-17 at 13:23 -0800, Andy Lutomirski wrote: > [I'm not a gnome-os subscriber. Let's see whether this bounces as a result.] > > Hi all- > > I just read Alexander's blog post about Neverball in a sandbox. Neat stuff! > > Here are some thoughts, in no particular order: > > - seccomp. Seccomp will help a lot, especially in avoiding attacks > against more obscure kernel interfaces. There's a decent > blacklist-based sandbox I worked on here: > > https://github.com/sandstorm-io/sandstorm/blob/master/src/sandstorm/supervisor.c%2B%2B > > Ideally it would be a whitelist, not a blacklist, but this set of > filter rules blocked a whole bunch of kernel vulnerabilities that > showed up after I wrote the rules.
Cool. I'll be sure to steal liberally from this. Some comments: // AIO is scary. Really? This seems like it is something that could be useful to apps, is it not? Also, vmsplice seems like it could be useful too. For reference, here is what systemd-nspawn uses: http://cgit.freedesktop.org/systemd/systemd/tree/src/nspawn/nspawn.c#n2482 It has some things you don't, such as: module calls, iopl, swap*, kexec, open_by_handle_at. > As on Linux 3.18 (IIRC), seccomp has reasonably low overhead. (It was > terrible before that.) If you try it and have issues, performance or > otherwise, please let me know. On new kernels, the overhead should be > well under 100 cycles per syscall plus the filter execution time. > > - setuid / privileged helper. Why do you need a privileged helper? > You should be able to do all of this using user namespaces. The > Sandstorm code linked above does exactly this. I have not yet looked into using user namespaces because historically they have been disabled for non-root users in distros like fedora an ubuntu. However, it seems like this is slowly lifted, so we should be able to use this when possible to allow the privilege increase. Can we really do everything though? i.e. can the setup code run mknod in the user namespace? > - netns. Having an IPv6 loopback is probably good, too. You might > get this by default with no particular action required on your part, > though. It just needs some code to bring up the interface (like the ipv4 one), i was just lazy and did not add it. Should be a small matter of code. > - kdbus. Why do you need kdbus? Wouldn't a userspace proxy work > fine? Even with kdbus, I imagine you're using the restricted endpoint > features, and I wasn't quite convinced that the design would allow > very flexible and clearly secure sandboxing. If I were designing a > sandbox that used kdbus, I'd mount a fresh "domain" (aka kdbusfs) in > the sandbox and I'd still want to proxy everything explicitly. That > way the sandboxed code could still use kdbus however it wanted. What > has your experience using it been like? Its hard to do a proper userspace proxy of dbus. For instance, it is inherently racy to limit access to a well known name as many clients use the unique name to talk to a service, but the unique-name<->well-known-name mapping can change asynchronously from the proxy. Also, not having the peer side of the dbus client be the *real* client process breaks some dbus functionality (for instance, the proxy would run outside the app sandbox, so you wouldn't get the right pid/cgroup data to know that a dbus peer was in a sandbox). The expected setup is that the app can only talk to the session/user bus. It can only own its own name (the app id like "org.gnome.gedit"), and it can only talk to a selected set of dbus names that have been deemed safe. These would include a set of "portal" APIs that contains the functionality needed to interact with the desktop. For instance there would be some kind of api to request the user to open a file, with the file selector happening on the non-sandbox side, and a stream of the selected data being returned to the app. I have not actually started playing with kdbus in detail though, so this part is very much uncharted waters. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Alexander Larsson Red Hat, Inc [email protected] [email protected] He's a suave moralistic assassin on the wrong side of the law. She's an elegant belly-dancing mechanic with an evil twin sister. They fight crime! _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
