LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The isolate utility

The isolate utility

Posted Jan 6, 2010 0:25 UTC (Wed) by wahern (subscriber, #37304)
In reply to: The isolate utility by dpquigl
Parent article: The isolate utility

It's difficult because it's an ad hoc process. To sandbox a daemon under unix all that need be done is chroot(path) + chdir(".") + setuid(nonrootuid). That's all in C, and generally called from the main function (my argument is for chroot(2), not for isolate(1) or chroot(1)). There are caveats, and it's no panacea, but it's straight-forward, and the user/sysadmin never need get involved. The only issue is how to make sure `path' exists. FreeBSD jail(2), which is more comprehensive, is similarly simple.

To sandbox with SELinux I do... what? To install the SELinux policies I do... what? No pithy code snippet will come close to answering that. And SELinux isn't even installed by default on Ubuntu and most other Linux distributions, not to mention other unices. Leveraging SELinux from the application perspective is difficult and clumsy. You need to create a shell scripting ecosystem to support your application. Same applies to LXC or anything similar.

RedHat might ship with default policies for Apache and BIND and similar software, but it certainly won't ship for 99% of the available applications on Freshmeat. It's nonsense to think that any single group is capable of reliably and efficiently patching, effectively, all the software out there. I say patching because though SELinux policies are text files they're nonetheless code. And that is why I say policy is indivisible from function. It's a distinction without a difference from a security perspective. They're both code.

Now, SELinux is useful in general for exactly the same reason. It allows the end-user or distributor to patch together an application by adding new code without modifying existing code. Effectively you can build custom applications, the same way a company might fork an open source project and tweak it for, say, an embedded Samba device. You can hack Samba directly and/or create SELinux policies. Yet you run into all the same problems as when you have two different groups hacking on the same software. Most prominently the maintainers of the policy end inevitably fall behind the release schedule of the main release, get tired of the treadmill, and the whole endeavor withers.

As for logging, my applications do what any good unix applications do; they log to stderr. I provide example documentation and code for attaching stderr to syslog(1) or rotatelogs(1), and my applications also make this very easy to do as a builtin operation (e.g. foo -e "|rotatelogs /var/log/foo-%Y%m%d.log"), which makes it a tad more convenient. Yes, that is in a sense leaving policy to the end-user, but the difference is that (1) I'm well aware that log processing is an application in its own right; and (2) no matter where you point stderr the daemon itself runs as securely as possible out-of-the-box. Why would I leave security up to the end-user or distributor? Who but the developer best knows how to secure his own code?

SELinux works well as an adjunct, but minimally any portable application _must_ use chroot(2). Even if something could replace chroot(2) tomorrow I'd prefer FreeBSD style jail(2) than a convoluted system that doesn't offer the possibility for a small code block in main() to provide decent sandboxing, instead requiring a haphazard process among various users--developer, distributor, admin. Theory is great, but a good solution must work in practice, and manifestly SELinux isn't a practical solution.

(I also tend to pervasively use descriptor passing between privileged and unprivileged processes. Much like chroot it's portable and, used properly, matches the security of most any other solution, and does so out-of-the-box.)

(Log in to post comments)

The isolate utility

Posted Jan 6, 2010 2:21 UTC (Wed) by gmaxwell (subscriber, #30048) [Link]

"To sandbox with SELinux I do... what?"

To sandbox? You use dan walsh's sandbox (http://danwalsh.livejournal.com/31146.html) it was linked in the very first comment here.

Yes, SELinux is complicated. It's much more expressive than chroot()+chdir(), and so it's possible to lock things in a much more find grained and secure way. The tradeoff is the complexity. Thats where tools like sandbox step in.

The isolate utility

Posted Jan 6, 2010 3:34 UTC (Wed) by wahern (subscriber, #37304) [Link]

Nice... for some limited set of apps, particularly desktop apps. Especially since it's more reasonable to expect desktop apps to be less portable than server apps. But I write server-side apps. Not only is this not especially useful on Linux servers, I still need to do sandboxing _inside_ my application both for portability, and because I still need privileges temporarily to setup my environment, such as open sockets. There're several app-specific privileged operations daemons typically need to do.

sandbox(1) uses a setuid utility. Anything which requires a setuid utility is already a red flag in my book. And such wrappers are inherently limited, anyhow.

These aren't generic solutions. They're interesting, useful, and laudable pieces of software, to be sure. But come on.... None of these things can even come close to the usefulness that traditional, portable unix privilege separation can accomplish. chroot, setuid, descriptor passing... these things are here now, ubiquitous, and time tested. Use them, developers. Security can't be an after-thought, bolted on, acceptable merely because it's described as a "security tool". The techniques needs to be tightly woven into the fabric of the code. (Alan Cox assertions are flat wrong; merely because chroot wasn't intended as a security tool doesn't mean it's not useful as such. Logic and history plainly prove him wrong, except that I personally think people take his quotes out of context anyhow.) Applications which don't do this need to be _fixed_, not amended. Additional steps, such as SELinux, VMs, etc, should be additive, not ends in themselves.

One nice thing about isolate(1) is that it uses a random UID. The code is awkward in places (I'd have just done `setuid(arc4random() | 0x80000000)', rather than a wierd loop, and anything w/ setuid mode is suspect, especially w/ all those machinations), but quite portable in theory, especially if Mach-O support could be added. And yet, at least for daemon apps, you can accomplish the same thing in about 10 lines of code if built into your app, w/o any dependencies. Sandboxing desktop apps involves special difficulties, but other than X11 and needing root privileges for chroot (I really wish systrace was built into the Linux kernel), all the same techniques apply equally well.

The isolate utility

Posted Jan 6, 2010 5:45 UTC (Wed) by drag (subscriber, #31333) [Link]

Alax Cox's comments refer to why the fact that when people show up on the
LKML and bring up one of the obvious and blaring security defects with
Linux's Chroot implementation (and hope to see these 'problems' fixed) they
get ignored or shot down.

The isolate utility

Posted Jan 6, 2010 6:16 UTC (Wed) by drag (subscriber, #31333) [Link]

Oh and he never said it was not useful. It's just that if the program has
root privileges then chroot is worthless. If you do it properly with
carefully controlled file discripters and proper setuid and that sort of
thing chroot can be useful, it's just much more difficult to get right then
it seems.

In that specific mailing list discussion people are referring to is
http://kerneltrap.org/mailarchive/linux-kernel/2007/9/19/...

----

Meanwhile with things like BSD Jails, Linux LXC, or Solaris Zones are
designed to be easy for admins to make applications isolated in a proper
manner and can be used with lots of applications that would never really work
out with chroot.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds