Introducing SELinux sandbox, confining untrusted binaries

From: Eric Paris
Date: Tue May 26 2009 - 12:54:21 EST

Next message: Stefan Richter: "Re: Unable to compile 2.6.30-rc7 on RHEL 4 - GCC 3.4.6"
Previous message: Michael S. Tsirkin: "Re: 2.a.30-rc7: fat filesystem misdetected as amiga"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dan and I (mostly Dan) have started to play with using SELinux to
confine random untrusted binaries. The program is called 'sandbox.'

http://danwalsh.livejournal.com/28545.html

The idea is to allow administrators to lock down tightly untrusted
applications in a sandbox where they can not use the network and
open/create any file that is not handed to the process. Can be used to
protect a system while allowing it to run some untrusted binary.

A quick dirty example of this sandbox would be to confine the 'cut'
binary. If I wanted to create a file of users on my system from
the /etc/passwd file, I could try

> sandbox cut -d: -f1 /etc/passwd > /tmp/users
/bin/cut: /etc/passwd: Permission denied

Which shows the sandbox domain is not allowed to open /etc/passwd

But I can execute
> cat /etc/passwd | sandbox cut -d: -f1 > /tmp/users

And it works just fine.

Inside the sandbox cut wasn't allowed to get to /etc/passwd. But in the
second example since /etc/passwd was opened by the shell and handed to
cut inside the sandbox it works.

I'd love to hear feedback, suggestions, problems, enhancements,
thoughts, complaints, things of that nature!

Check it out, SELinux confinement made easy.

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stefan Richter: "Re: Unable to compile 2.6.30-rc7 on RHEL 4 - GCC 3.4.6"
Previous message: Michael S. Tsirkin: "Re: 2.a.30-rc7: fat filesystem misdetected as amiga"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]