LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

What about Systrace for security?

What about Systrace for security?

Posted Jun 14, 2009 17:59 UTC (Sun) by gmatht (guest, #58961)
Parent article: Waiting for Google Chrome

Personally I am a fan of the Plash style of sandboxing. I don't think it is suitable though, as it is chroot based. I like it because it can dynamically add rights on the fly, e.g. the GTK file dialog box is replaced so that if you open a file, the application is given rights to just that file.

Perhaps more suitable would be Systrace [0]?

As has been discussed the Systrace does security is very difficult to do right since possibility of a process changing its argument after sending it to the kernel. The last time a vulnerability was found was 2007 [1]. However AFAICT changing an argument is not a problem for Chrome since they would just ban the syscall entirely (or if not use message passing/chroot based solution like Plash to provide this security).

Systrace is here, doesn't require any weird kernel patches, is portable across Linux and BSD, and supports both 32bit and 64bit. It isn't as easy to set up as Plash, but it isn't that hard either [2]. Systrace + Chroot seems good enough to get version 1.0 out the door.

[0] http://en.wikipedia.org/wiki/Systrace
[1] http://www.usenix.org/events/woot07/tech/full_papers/wats...
[2] http://www.linux.com/archive/feature/51359

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds