* Limiting access to abstract unix domain sockets
@ 2014-12-11 17:36 Alexander Larsson
[not found] ` <1418319385.9942.9.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
0 siblings, 1 reply; 5+ messages in thread
From: Alexander Larsson @ 2014-12-11 17:36 UTC (permalink / raw)
To: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA
I'm working on using container technology to sandbox desktop
applications, and I've run into an issue with abstract unix domain
sockets. Generally unix domain sockets work fine in a container
situation because they are naturally namespaced via the filesystem
namespace.
However, abstract socket addresses are global to the *network*
namespace. This means that if you need to share the host network
namespace (typically so you have full ip networking access) you can't
limit access to *any* service that listens to an abstract unix socket.
I don't particularly need to use abstract sockets, so it would be ok to
just disallow its use in the container. I've looked at using seccomp for
this, but it doesn't seem to help here, as it needs to dereference the
socket address to tell if its abstract or not.
Does anyone have any idea how to do this?
^ permalink raw reply [flat|nested] 5+ messages in thread[parent not found: <1418319385.9942.9.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]
* Re: Limiting access to abstract unix domain sockets [not found] ` <1418319385.9942.9.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> @ 2014-12-11 17:49 ` Serge Hallyn 2014-12-11 19:18 ` Eric W. Biederman 0 siblings, 1 reply; 5+ messages in thread From: Serge Hallyn @ 2014-12-11 17:49 UTC (permalink / raw) To: Alexander Larsson; +Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA Quoting Alexander Larsson (alexl-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org): > I'm working on using container technology to sandbox desktop > applications, and I've run into an issue with abstract unix domain > sockets. Generally unix domain sockets work fine in a container > situation because they are naturally namespaced via the filesystem > namespace. > > However, abstract socket addresses are global to the *network* > namespace. This means that if you need to share the host network > namespace (typically so you have full ip networking access) you can't > limit access to *any* service that listens to an abstract unix socket. > > I don't particularly need to use abstract sockets, so it would be ok to > just disallow its use in the container. I've looked at using seccomp for > this, but it doesn't seem to help here, as it needs to dereference the > socket address to tell if its abstract or not. > > Does anyone have any idea how to do this? You should be able to use recent apparmor or selinux. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Limiting access to abstract unix domain sockets 2014-12-11 17:49 ` Serge Hallyn @ 2014-12-11 19:18 ` Eric W. Biederman [not found] ` <87zjauatbt.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> 0 siblings, 1 reply; 5+ messages in thread From: Eric W. Biederman @ 2014-12-11 19:18 UTC (permalink / raw) To: Serge Hallyn; +Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> writes: > Quoting Alexander Larsson (alexl-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org): >> I'm working on using container technology to sandbox desktop >> applications, and I've run into an issue with abstract unix domain >> sockets. Generally unix domain sockets work fine in a container >> situation because they are naturally namespaced via the filesystem >> namespace. >> >> However, abstract socket addresses are global to the *network* >> namespace. This means that if you need to share the host network >> namespace (typically so you have full ip networking access) you can't >> limit access to *any* service that listens to an abstract unix socket. >> >> I don't particularly need to use abstract sockets, so it would be ok to >> just disallow its use in the container. I've looked at using seccomp for >> this, but it doesn't seem to help here, as it needs to dereference the >> socket address to tell if its abstract or not. >> >> Does anyone have any idea how to do this? > > You should be able to use recent apparmor or selinux. Agreed. If you are trying to firewall an application the lsm's are the firewall mechanism we have. If you are building an application from scratch I would tend to recommend the use of privilege separation, and only allowing the ``privileged'' part of your application to setup network sockets. To me one of the scaries things an application can have is a network socket to the outside world. Eric ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <87zjauatbt.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>]
* Re: Limiting access to abstract unix domain sockets [not found] ` <87zjauatbt.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> @ 2014-12-11 20:32 ` Alexander Larsson [not found] ` <1418329944.9942.12.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> 0 siblings, 1 reply; 5+ messages in thread From: Alexander Larsson @ 2014-12-11 20:32 UTC (permalink / raw) To: Eric W. Biederman Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Serge Hallyn On tor, 2014-12-11 at 13:18 -0600, Eric W. Biederman wrote: > Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> writes: > > > Quoting Alexander Larsson (alexl-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org): > >> I'm working on using container technology to sandbox desktop > >> applications, and I've run into an issue with abstract unix domain > >> sockets. Generally unix domain sockets work fine in a container > >> situation because they are naturally namespaced via the filesystem > >> namespace. > >> > >> However, abstract socket addresses are global to the *network* > >> namespace. This means that if you need to share the host network > >> namespace (typically so you have full ip networking access) you can't > >> limit access to *any* service that listens to an abstract unix socket. > >> > >> I don't particularly need to use abstract sockets, so it would be ok to > >> just disallow its use in the container. I've looked at using seccomp for > >> this, but it doesn't seem to help here, as it needs to dereference the > >> socket address to tell if its abstract or not. > >> > >> Does anyone have any idea how to do this? > > > > You should be able to use recent apparmor or selinux. > > Agreed. If you are trying to firewall an application the lsm's are the > firewall mechanism we have. > > If you are building an application from scratch I would tend to > recommend the use of privilege separation, and only allowing the > ``privileged'' part of your application to setup network sockets. > > To me one of the scaries things an application can have is a network > socket to the outside world. Well, a great many apps don't need network access. Like say a game. For these there would not be a problem, just give them their own network namespace. But, if we're talking about an existing (not privilege separated) complex networking app, say an email client. How would you recommend that such an app be contained (network-wise) in a generic framework? We could give it its own network and IP that we NAT. But is this really more "secure" in any sense? The app can still send stuff on the outside network. I guess the inability to handle inbound traffic helps, but is this all? ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <1418329944.9942.12.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]
* Re: Limiting access to abstract unix domain sockets [not found] ` <1418329944.9942.12.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> @ 2014-12-12 3:38 ` Serge Hallyn 0 siblings, 0 replies; 5+ messages in thread From: Serge Hallyn @ 2014-12-12 3:38 UTC (permalink / raw) To: Alexander Larsson Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA, Eric W. Biederman Quoting Alexander Larsson (alexl-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org): > On tor, 2014-12-11 at 13:18 -0600, Eric W. Biederman wrote: > > Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> writes: > > > > > Quoting Alexander Larsson (alexl-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org): > > >> I'm working on using container technology to sandbox desktop > > >> applications, and I've run into an issue with abstract unix domain > > >> sockets. Generally unix domain sockets work fine in a container > > >> situation because they are naturally namespaced via the filesystem > > >> namespace. > > >> > > >> However, abstract socket addresses are global to the *network* > > >> namespace. This means that if you need to share the host network > > >> namespace (typically so you have full ip networking access) you can't > > >> limit access to *any* service that listens to an abstract unix socket. > > >> > > >> I don't particularly need to use abstract sockets, so it would be ok to > > >> just disallow its use in the container. I've looked at using seccomp for > > >> this, but it doesn't seem to help here, as it needs to dereference the > > >> socket address to tell if its abstract or not. > > >> > > >> Does anyone have any idea how to do this? > > > > > > You should be able to use recent apparmor or selinux. > > > > Agreed. If you are trying to firewall an application the lsm's are the > > firewall mechanism we have. > > > > If you are building an application from scratch I would tend to > > recommend the use of privilege separation, and only allowing the > > ``privileged'' part of your application to setup network sockets. > > > > To me one of the scaries things an application can have is a network > > socket to the outside world. > > Well, a great many apps don't need network access. Like say a game. For > these there would not be a problem, just give them their own network > namespace. > > But, if we're talking about an existing (not privilege separated) > complex networking app, say an email client. How would you recommend > that such an app be contained (network-wise) in a generic framework? We > could give it its own network and IP that we NAT. But is this really > more "secure" in any sense? The app can still send stuff on the outside > network. I guess the inability to handle inbound traffic helps, but is > this all? I suspect there won't be an answer here because your question has gone off the original topic and become too unspecific. Basically you were right originally: so long as you share the host's network namespace, you can use its abstract sockets. LSMs are one way to actually clamp down on that. For instance, on new enough apparmor, by default applications under different apparmor profiles should not be able to connect to each other's sockets (configurable in policy). -serge ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-12-12 3:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-11 17:36 Limiting access to abstract unix domain sockets Alexander Larsson
[not found] ` <1418319385.9942.9.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-12-11 17:49 ` Serge Hallyn
2014-12-11 19:18 ` Eric W. Biederman
[not found] ` <87zjauatbt.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-11 20:32 ` Alexander Larsson
[not found] ` <1418329944.9942.12.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-12-12 3:38 ` Serge Hallyn
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.