Re: Network isolation with RLIMIT_NETWORK, cont'd.
From: Michael Stone
Date: Sun Dec 13 2009 - 08:42:38 EST
Rémi,
You explicitly mention the need to connect to the X server over local sockets.
But won't that allow the sandboxed application to send synthetic events to any
other X11 applications?
X11 cookie authentication and socket ownership+permissions effectively control
access to the X server by local processes. Thus, as an isolation author, I may
easily grant my isolated process any of:
a) full access to the main X server
b) some access to a nested X server (like a Xephyr) which I'm using to do
some event filtering
c) no access to any X server by witholding thec cookies or by changing the
permissions on the X socket to be more restrictive
with existing techniques.
Hence unless the whole X server has restricted network access, this seems a
bit broken?
Not broken for the reasons I mentioned above. However, using this rlimit to
disable fresh network access for the whole X server actually sounds like a
rather nice idea; thanks for suggesting it.
D-Bus, which also uses local sockets, will exhibit similar issues,
Absolutely. However, D-Bus, like X, already has strong authentication
mechanisms in place that permit me to use pre-existing Unix discretionary
access control to limit what communication takes place. More specifically, I can
a) tell D-Bus to use a file-system socket and change the credentials on that
socket
b) use cookies to authenticate incoming connections
c) explicitly tell D-Bus what users and groups may connect via configuration
files
d) explicitly tell D-Bus what users and groups may send and receive which
messages via configuration files
as will any unrestricted IPC mechanism in fact. I am not sure if restricting
network access but not other file descriptors makes that much sense...? Then
again, I'm not entirely clear what you are trying to solve.
Inadequately access-controlled IPC mechanisms are the specific problem that I
am trying to address. Fortunately, these mechanisms seem to be rare: the only
two that I know of are non-AF_UNIX sockets and ptrace(). All the other IPC
mechanisms that I have seen may be adequately restricted by changing file
permissions and ownership.
If I had to sandbox something, I'd drop the process file limit to 0.
That is a technique that is commonly used by many people in this space. It
works well for some limited use cases and, like SECCOMP, is too restrictive for
the kinds of general-purpose applications that I'm sandboxing.
If you're interested,
http://cr.yp.to/unix/disablenetwork.html
lists several specific problems. To see more, just try dropping RLIMIT_NOFILE
to 0 before launching all your favorite apps. I'd be curious to hear how far
you get.
Regards,
Michael
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/