Simplicity is useful

Posted May 14, 2009 14:41 UTC (Thu) by job (guest, #670)
Parent article: Seccomp and sandboxing

The most successful sandbox must be chroot+setuid. Probably because is it portable, simple and easy to understand. Both the administrator and the programmer knows directly what they can trust such a process with.

That's why I think something like seccomp would be usable. Anything outside of pure computation must be done outside it. No flexibility, nothing. Attack vectors are isolated to the monitor process.

to post comments

Simplicity is useful

Posted May 20, 2009 17:40 UTC (Wed) by sfink (guest, #6405) [Link] (2 responses)

I agree, chroot + setuid is one of the most successful models out there -- assuming you're measuring success by popularity. If you factor in effectiveness, on the other hand, I was under the impression that it's a disaster.

setuid is good, but privilege escalation flaws are not that hard to come by. And once you have root privileges, chroot is no longer a security mechanism, it's just a convenient filesystem remapping trick. Nothing prevents you from creating your own special device and mounting the entire filesystem within your chroot jail. And that's only one of many, many ways to escape chroot.

Simplicity is useful

Posted May 20, 2009 18:32 UTC (Wed) by dlang (guest, #313) [Link]

if you assume that privilage escalation exploits are everywhere, nothing less than a fully locked down SELinux system can do you any good (and note that _no_ distro is shipping a _fully_ locked down SELinux system)

if privilage escalation exploits are not everywhere then chroot is much stronger.

and even though it's not as strong as other security mechanisms could be, the fact that those other mechanisms aren't used makes them pretty useless

however, I will disagree slightly with chroot being the most successful model, I'll point out that it builds on the basic unix user/group permissions, and I would call _that_ the most successful model

Simplicity is useful

Posted Jul 17, 2009 22:44 UTC (Fri) by job (guest, #670) [Link]

Nothing is a security mechanism against privilege escalation flaws in the mechanism itself. That's what appeals to me with seccomp, it should be possible to be made secure, as opposed to complex stuff such as LSM- or SELinux-arbitrated access control.