Walsh: Introducing the SELinux Sandbox
Posted May 27, 2009 1:40 UTC (Wed) by gdt
In reply to: Walsh: Introducing the SELinux Sandbox
Parent article: Walsh: Introducing the SELinux Sandbox
It seems that the existing security mechanisms in Linux would restrict unprivileged users from doing malicious stuff without the need for a SELinux "sandbox".
Two points you may have missed in Dan's blog. (1) A finer notion of privilege than user. (2) Restriction of access to data, not only system.
For example, you might run a script to encode all your FLAC music into Ogg Vorbis. That script will run as you, pr1268, so traditional Unix access control gives the script access to all of the files marked as owned by pr1268. That is far too much access -- that re-encoding script should not be able to do anything other than transform the input to the output. It certainly should not be able to maliciously use the too-wide Unix access, such as encrypting all of pr1268's photographs and demanding a ransom in return for the decryption key.
As SELinux policy stands today, that sort of malicious act is not prevented. Development of SELinux to date has focussed broad policy and on protecting the system, not on protecting user's privacy and data. These are the next frontiers for the Linux MACs -- I quite like Dan's phrase "policy for the little things".
The "sandbox" is a tight policy for the smallest thing -- a piped command which transforms its input.
to post comments)