* Introducing SELinux sandbox, confining untrusted binaries
@ 2009-05-26 16:54 Eric Paris
0 siblings, 0 replies; only message in thread
From: Eric Paris @ 2009-05-26 16:54 UTC (permalink / raw)
To: linux-kernel
Dan and I (mostly Dan) have started to play with using SELinux to
confine random untrusted binaries. The program is called 'sandbox.'
http://danwalsh.livejournal.com/28545.html
The idea is to allow administrators to lock down tightly untrusted
applications in a sandbox where they can not use the network and
open/create any file that is not handed to the process. Can be used to
protect a system while allowing it to run some untrusted binary.
A quick dirty example of this sandbox would be to confine the 'cut'
binary. If I wanted to create a file of users on my system from
the /etc/passwd file, I could try
> sandbox cut -d: -f1 /etc/passwd > /tmp/users
/bin/cut: /etc/passwd: Permission denied
Which shows the sandbox domain is not allowed to open /etc/passwd
But I can execute
> cat /etc/passwd | sandbox cut -d: -f1 > /tmp/users
And it works just fine.
Inside the sandbox cut wasn't allowed to get to /etc/passwd. But in the
second example since /etc/passwd was opened by the shell and handed to
cut inside the sandbox it works.
I'd love to hear feedback, suggestions, problems, enhancements,
thoughts, complaints, things of that nature!
Check it out, SELinux confinement made easy.
-Eric
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2009-05-26 16:54 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-05-26 16:54 Introducing SELinux sandbox, confining untrusted binaries Eric Paris
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.