Walsh: Cool things with SELinux... Introducing sandbox -X
[Security] Posted Sep 17, 2009 13:57 UTC (Thu) by jake
Red Hat SELinux hacker Dan Walsh has a weblog posting about a new feature added to his SELinux sandbox. sandbox -X essentially combines the sandbox with the idea behind the "xguest" user to create a sandbox for arbitrary desktop applications. It came out of a request to be able to sandbox "acroread": "Acroread and most other desktop applications use multiple communication channels, interacting not just with stdin and stdout, but accessing configuration files, directly or using interprocess calls as with GConf, the X server and other applications, and usually have full run of the user's home directory. A bug in a desktop application can be exploited to attack other processes on the system through any of these channels. Attempting to lock down access to these things usually just causes applications to break, or at least degrades the user experience. In a nutshell, there was no good, general-purpose way to lock down Acroread, or that matter, any other desktop application."
Comments (39 posted)