Introducing SELinux sandbox, confining untrusted binaries
[Posted May 26, 2009 by jake]
| From: |
| Eric Paris <eparis-AT-redhat.com> |
| To: |
| linux-kernel-AT-vger.kernel.org |
| Subject: |
| Introducing SELinux sandbox, confining untrusted binaries |
| Date: |
| Tue, 26 May 2009 12:54:03 -0400 |
| Message-ID: |
| <1243356843.2800.23.camel@localhost.localdomain> |
| Archive‑link: | |
Article |
Dan and I (mostly Dan) have started to play with using SELinux to
confine random untrusted binaries. The program is called 'sandbox.'
http://danwalsh.livejournal.com/28545.html
The idea is to allow administrators to lock down tightly untrusted
applications in a sandbox where they can not use the network and
open/create any file that is not handed to the process. Can be used to
protect a system while allowing it to run some untrusted binary.
A quick dirty example of this sandbox would be to confine the 'cut'
binary. If I wanted to create a file of users on my system from
the /etc/passwd file, I could try
> sandbox cut -d: -f1 /etc/passwd > /tmp/users
/bin/cut: /etc/passwd: Permission denied
Which shows the sandbox domain is not allowed to open /etc/passwd
But I can execute
> cat /etc/passwd | sandbox cut -d: -f1 > /tmp/users
And it works just fine.
Inside the sandbox cut wasn't allowed to get to /etc/passwd. But in the
second example since /etc/passwd was opened by the shell and handed to
cut inside the sandbox it works.
I'd love to hear feedback, suggestions, problems, enhancements,
thoughts, complaints, things of that nature!
Check it out, SELinux confinement made easy.
-Eric
