Re: Network isolation with RLIMIT_NETWORK, cont'd.

From: Michael Stone
Date: Sun Dec 13 2009 - 08:42:38 EST

Next message: Pavel Machek: "Re: [PATCH v2]kernel: remove mess codes"
Previous message: Johannes Berg: "Re: 2.6.32-git5+, CONFIG_WEXT_PRIV and Broadcom's driver forBCM4322 Wireless chips"
In reply to: Rémi Denis-Courmont: "Re: Network isolation with RLIMIT_NETWORK, cont'd."
Next in thread: Eric W. Biederman: "Re: Network isolation with RLIMIT_NETWORK, cont'd."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rémi,

You explicitly mention the need to connect to the X server over local sockets.
But won't that allow the sandboxed application to send synthetic events to any
other X11 applications?

X11 cookie authentication and socket ownership+permissions effectively control
access to the X server by local processes. Thus, as an isolation author, I may
easily grant my isolated process any of:

a) full access to the main X server b) some access to a nested X server (like a Xephyr) which I'm using to do
some event filtering
c) no access to any X server by witholding thec cookies or by changing the
permissions on the X socket to be more restrictive

with existing techniques.

Hence unless the whole X server has restricted network access, this seems a
bit broken?

Not broken for the reasons I mentioned above. However, using this rlimit to
disable fresh network access for the whole X server actually sounds like a
rather nice idea; thanks for suggesting it.

D-Bus, which also uses local sockets, will exhibit similar issues,

Absolutely. However, D-Bus, like X, already has strong authentication
mechanisms in place that permit me to use pre-existing Unix discretionary access control to limit what communication takes place. More specifically, I can

a) tell D-Bus to use a file-system socket and change the credentials on that
socket

b) use cookies to authenticate incoming connections

c) explicitly tell D-Bus what users and groups may connect via configuration
files

d) explicitly tell D-Bus what users and groups may send and receive which
messages via configuration files

as will any unrestricted IPC mechanism in fact. I am not sure if restricting
network access but not other file descriptors makes that much sense...? Then
again, I'm not entirely clear what you are trying to solve.

Inadequately access-controlled IPC mechanisms are the specific problem that I
am trying to address. Fortunately, these mechanisms seem to be rare: the only
two that I know of are non-AF_UNIX sockets and ptrace(). All the other IPC
mechanisms that I have seen may be adequately restricted by changing file
permissions and ownership.

If I had to sandbox something, I'd drop the process file limit to 0.

That is a technique that is commonly used by many people in this space. It
works well for some limited use cases and, like SECCOMP, is too restrictive for
the kinds of general-purpose applications that I'm sandboxing.

If you're interested,

http://cr.yp.to/unix/disablenetwork.html

lists several specific problems. To see more, just try dropping RLIMIT_NOFILE
to 0 before launching all your favorite apps. I'd be curious to hear how far
you get.

Regards,

Michael
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Pavel Machek: "Re: [PATCH v2]kernel: remove mess codes"
Previous message: Johannes Berg: "Re: 2.6.32-git5+, CONFIG_WEXT_PRIV and Broadcom's driver forBCM4322 Wireless chips"
In reply to: Rémi Denis-Courmont: "Re: Network isolation with RLIMIT_NETWORK, cont'd."
Next in thread: Eric W. Biederman: "Re: Network isolation with RLIMIT_NETWORK, cont'd."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]