Introducing SELinux sandbox, confining untrusted binaries
From: Eric Paris
Date: Tue May 26 2009 - 12:54:21 EST
Dan and I (mostly Dan) have started to play with using SELinux to
confine random untrusted binaries. The program is called 'sandbox.'
The idea is to allow administrators to lock down tightly untrusted
applications in a sandbox where they can not use the network and
open/create any file that is not handed to the process. Can be used to
protect a system while allowing it to run some untrusted binary.
A quick dirty example of this sandbox would be to confine the 'cut'
binary. If I wanted to create a file of users on my system from
the /etc/passwd file, I could try
> sandbox cut -d: -f1 /etc/passwd > /tmp/users
/bin/cut: /etc/passwd: Permission denied
Which shows the sandbox domain is not allowed to open /etc/passwd
But I can execute
> cat /etc/passwd | sandbox cut -d: -f1 > /tmp/users
And it works just fine.
Inside the sandbox cut wasn't allowed to get to /etc/passwd. But in the
second example since /etc/passwd was opened by the shell and handed to
cut inside the sandbox it works.
I'd love to hear feedback, suggestions, problems, enhancements,
thoughts, complaints, things of that nature!
Check it out, SELinux confinement made easy.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/