Not logged in
Log in now
Create an account
Subscribe to LWN
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Little things that matter in language design
To sandbox? You use dan walsh's sandbox (http://danwalsh.livejournal.com/31146.html) it was linked in the very first comment here.
Yes, SELinux is complicated. It's much more expressive than chroot()+chdir(), and so it's possible to lock things in a much more find grained and secure way. The tradeoff is the complexity. Thats where tools like sandbox step in.
The isolate utility
Posted Jan 6, 2010 3:34 UTC (Wed) by wahern (subscriber, #37304)
sandbox(1) uses a setuid utility. Anything which requires a setuid utility is already a red flag in my book. And such wrappers are inherently limited, anyhow.
These aren't generic solutions. They're interesting, useful, and laudable pieces of software, to be sure. But come on.... None of these things can even come close to the usefulness that traditional, portable unix privilege separation can accomplish. chroot, setuid, descriptor passing... these things are here now, ubiquitous, and time tested. Use them, developers. Security can't be an after-thought, bolted on, acceptable merely because it's described as a "security tool". The techniques needs to be tightly woven into the fabric of the code. (Alan Cox assertions are flat wrong; merely because chroot wasn't intended as a security tool doesn't mean it's not useful as such. Logic and history plainly prove him wrong, except that I personally think people take his quotes out of context anyhow.) Applications which don't do this need to be _fixed_, not amended. Additional steps, such as SELinux, VMs, etc, should be additive, not ends in themselves.
One nice thing about isolate(1) is that it uses a random UID. The code is awkward in places (I'd have just done `setuid(arc4random() | 0x80000000)', rather than a wierd loop, and anything w/ setuid mode is suspect, especially w/ all those machinations), but quite portable in theory, especially if Mach-O support could be added. And yet, at least for daemon apps, you can accomplish the same thing in about 10 lines of code if built into your app, w/o any dependencies. Sandboxing desktop apps involves special difficulties, but other than X11 and needing root privileges for chroot (I really wish systrace was built into the Linux kernel), all the same techniques apply equally well.
Posted Jan 6, 2010 5:45 UTC (Wed) by drag (subscriber, #31333)
Posted Jan 6, 2010 6:16 UTC (Wed) by drag (subscriber, #31333)
In that specific mailing list discussion people are referring to is
Meanwhile with things like BSD Jails, Linux LXC, or Solaris Zones are
designed to be easy for admins to make applications isolated in a proper
manner and can be used with lots of applications that would never really work
out with chroot.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds