From: Michael Stone <michael@laptop.org>
To: "Rémi Denis-Courmont" <remi@remlab.net>
Cc: Michael Stone <michael@laptop.org>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org,
Andi Kleen <andi@firstfloor.org>, David Lang <david@lang.hm>,
Oliver Hartkopp <socketcan@hartkopp.net>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Herbert Xu <herbert@gondor.apana.org.au>,
Valdis Kletnieks <Valdis.Kletnieks@vt.edu>,
Bryan Donlan <bdonlan@gmail.com>,
Evgeniy Polyakov <zbr@ioremap.net>,
"C. Scott Ananian" <cscott@cscott.net>,
James Morris <jmorris@namei.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Bernie Innocenti <bernie@codewiz.org>,
Mark Seaborn <mrs@mythic-beasts.com>
Subject: Re: Network isolation with RLIMIT_NETWORK, cont'd.
Date: Sun, 13 Dec 2009 08:44:25 -0500 [thread overview]
Message-ID: <20091213134425.GA4777@heat> (raw)
In-Reply-To: <200912131032.24251.remi@remlab.net>
Rémi,
> You explicitly mention the need to connect to the X server over local sockets.
> But won't that allow the sandboxed application to send synthetic events to any
> other X11 applications?
X11 cookie authentication and socket ownership+permissions effectively control
access to the X server by local processes. Thus, as an isolation author, I may
easily grant my isolated process any of:
a) full access to the main X server
b) some access to a nested X server (like a Xephyr) which I'm using to do
some event filtering
c) no access to any X server by witholding thec cookies or by changing the
permissions on the X socket to be more restrictive
with existing techniques.
> Hence unless the whole X server has restricted network access, this seems a
> bit broken?
Not broken for the reasons I mentioned above. However, using this rlimit to
disable fresh network access for the whole X server actually sounds like a
rather nice idea; thanks for suggesting it.
> D-Bus, which also uses local sockets, will exhibit similar issues,
Absolutely. However, D-Bus, like X, already has strong authentication
mechanisms in place that permit me to use pre-existing Unix discretionary
access control to limit what communication takes place. More specifically, I can
a) tell D-Bus to use a file-system socket and change the credentials on that
socket
b) use cookies to authenticate incoming connections
c) explicitly tell D-Bus what users and groups may connect via configuration
files
d) explicitly tell D-Bus what users and groups may send and receive which
messages via configuration files
> as will any unrestricted IPC mechanism in fact. I am not sure if restricting
> network access but not other file descriptors makes that much sense...? Then
> again, I'm not entirely clear what you are trying to solve.
Inadequately access-controlled IPC mechanisms are the specific problem that I
am trying to address. Fortunately, these mechanisms seem to be rare: the only
two that I know of are non-AF_UNIX sockets and ptrace(). All the other IPC
mechanisms that I have seen may be adequately restricted by changing file
permissions and ownership.
> If I had to sandbox something, I'd drop the process file limit to 0.
That is a technique that is commonly used by many people in this space. It
works well for some limited use cases and, like SECCOMP, is too restrictive for
the kinds of general-purpose applications that I'm sandboxing.
If you're interested,
http://cr.yp.to/unix/disablenetwork.html
lists several specific problems. To see more, just try dropping RLIMIT_NOFILE
to 0 before launching all your favorite apps. I'd be curious to hear how far
you get.
Regards,
Michael
WARNING: multiple messages have this Message-ID (diff)
From: Michael Stone <michael@laptop.org>
To: "Rémi Denis-Courmont" <remi@remlab.net>
Cc: Michael Stone <michael@laptop.org>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org,
Andi Kleen <andi@firstfloor.org>, David Lang <david@lang.hm>,
Oliver Hartkopp <socketcan@hartkopp.net>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Herbert Xu <herbert@gondor.apana.org.au>,
Valdis Kletnieks <Valdis.Kletnieks@vt.edu>,
Bryan Donlan <bdonlan@gmail.com>,
Evgeniy Polyakov <zbr@ioremap.net>,
"C. Scott Ananian" <cscott@cscott.net>,
James Morris <jmorris@namei.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Bernie Innocenti <bernie@codewiz.org>,
Mark Seaborn <mrs@mythic-beasts.com>
Subject: Re: Network isolation with RLIMIT_NETWORK, cont'd.
Date: Sun, 13 Dec 2009 08:44:25 -0500 [thread overview]
Message-ID: <20091213134425.GA4777@heat> (raw)
In-Reply-To: <200912131032.24251.remi@remlab.net>
Rémi,
> You explicitly mention the need to connect to the X server over local sockets.
> But won't that allow the sandboxed application to send synthetic events to any
> other X11 applications?
X11 cookie authentication and socket ownership+permissions effectively control
access to the X server by local processes. Thus, as an isolation author, I may
easily grant my isolated process any of:
a) full access to the main X server
b) some access to a nested X server (like a Xephyr) which I'm using to do
some event filtering
c) no access to any X server by witholding thec cookies or by changing the
permissions on the X socket to be more restrictive
with existing techniques.
> Hence unless the whole X server has restricted network access, this seems a
> bit broken?
Not broken for the reasons I mentioned above. However, using this rlimit to
disable fresh network access for the whole X server actually sounds like a
rather nice idea; thanks for suggesting it.
> D-Bus, which also uses local sockets, will exhibit similar issues,
Absolutely. However, D-Bus, like X, already has strong authentication
mechanisms in place that permit me to use pre-existing Unix discretionary
access control to limit what communication takes place. More specifically, I can
a) tell D-Bus to use a file-system socket and change the credentials on that
socket
b) use cookies to authenticate incoming connections
c) explicitly tell D-Bus what users and groups may connect via configuration
files
d) explicitly tell D-Bus what users and groups may send and receive which
messages via configuration files
> as will any unrestricted IPC mechanism in fact. I am not sure if restricting
> network access but not other file descriptors makes that much sense...? Then
> again, I'm not entirely clear what you are trying to solve.
Inadequately access-controlled IPC mechanisms are the specific problem that I
am trying to address. Fortunately, these mechanisms seem to be rare: the only
two that I know of are non-AF_UNIX sockets and ptrace(). All the other IPC
mechanisms that I have seen may be adequately restricted by changing file
permissions and ownership.
> If I had to sandbox something, I'd drop the process file limit to 0.
That is a technique that is commonly used by many people in this space. It
works well for some limited use cases and, like SECCOMP, is too restrictive for
the kinds of general-purpose applications that I'm sandboxing.
If you're interested,
http://cr.yp.to/unix/disablenetwork.html
lists several specific problems. To see more, just try dropping RLIMIT_NOFILE
to 0 before launching all your favorite apps. I'd be curious to hear how far
you get.
Regards,
Michael
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2009-12-13 13:42 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-13 3:19 Network isolation with RLIMIT_NETWORK, cont'd Michael Stone
2009-12-13 3:26 ` [PATCH] Security: Implement RLIMIT_NETWORK Michael Stone
2009-12-13 3:30 ` [PATCH] Security: Document RLIMIT_NETWORK Michael Stone
2009-12-13 3:44 ` Network isolation with RLIMIT_NETWORK, cont'd Michael Stone
2009-12-13 5:09 ` setrlimit(RLIMIT_NETWORK) vs. prctl(???) Michael Stone
2009-12-13 5:20 ` Ulrich Drepper
2009-12-15 5:33 ` Michael Stone
2009-12-16 15:30 ` Michael Stone
2009-12-16 15:32 ` [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface Michael Stone
2009-12-16 15:59 ` Andi Kleen
2009-12-17 1:25 ` Michael Stone
2009-12-17 8:52 ` Andi Kleen
[not found] ` <fb69ef3c0912170906t291a37c4r6c4758ddc7dd300b@mail.gmail.com>
2009-12-17 17:14 ` Andi Kleen
2009-12-17 22:58 ` Mark Seaborn
2009-12-18 3:00 ` Michael Stone
2009-12-18 3:00 ` Michael Stone
2009-12-18 3:29 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) interface. (v2) Michael Stone
2009-12-18 4:43 ` Valdis.Kletnieks
2009-12-18 15:46 ` Alan Cox
2009-12-18 16:33 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) Michael Stone
2009-12-18 17:20 ` Alan Cox
2009-12-18 17:47 ` Eric W. Biederman
2009-12-24 6:13 ` Michael Stone
2009-12-24 12:37 ` Eric W. Biederman
2009-12-24 1:42 ` [PATCH 0/3] Discarding networking privilege via LSM Michael Stone
2009-12-24 1:44 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) interface. (v3) Michael Stone
2009-12-24 4:38 ` Samir Bellabes
2009-12-24 5:44 ` Michael Stone
2009-12-24 5:51 ` Tetsuo Handa
2009-12-24 1:45 ` [PATCH 2/3] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics. (v3) Michael Stone
2009-12-24 1:45 ` [PATCH 3/3] Security: Document prctl(PR_{GET,SET}_NETWORK). (v3) Michael Stone
2009-12-25 17:09 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) Pavel Machek
2009-12-18 3:31 ` [PATCH 2/3] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics. (v2) Michael Stone
2009-12-18 3:57 ` Eric W. Biederman
2009-12-18 3:32 ` [PATCH 3/3] Security: Document prctl(PR_{GET,SET}_NETWORK). (v2) Michael Stone
2009-12-18 17:49 ` [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface Stephen Hemminger
2009-12-19 12:02 ` David Wagner
2009-12-19 12:29 ` Alan Cox
2009-12-20 17:53 ` Mark Seaborn
2009-12-17 9:25 ` Américo Wang
2009-12-17 16:28 ` Michael Stone
2009-12-17 16:28 ` Michael Stone
2009-12-17 17:23 ` Randy Dunlap
2009-12-17 17:25 ` Randy Dunlap
2009-12-16 15:32 ` [PATCH] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics Michael Stone
2009-12-17 19:18 ` Eric W. Biederman
2009-12-16 15:32 ` [PATCH] Security: Document prctl(PR_{GET,SET}_NETWORK) Michael Stone
2009-12-13 8:32 ` Network isolation with RLIMIT_NETWORK, cont'd Rémi Denis-Courmont
2009-12-13 13:44 ` Michael Stone [this message]
2009-12-13 13:44 ` Michael Stone
2009-12-13 10:05 ` Eric W. Biederman
2009-12-13 14:21 ` Michael Stone
2009-12-17 17:31 ` Mark Seaborn
2009-12-17 18:24 ` Bryan Donlan
2009-12-17 19:35 ` Bernie Innocenti
2009-12-17 19:53 ` Bryan Donlan
2009-12-17 19:23 ` Bernie Innocenti
2009-12-17 17:52 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091213134425.GA4777@heat \
--to=michael@laptop.org \
--cc=Valdis.Kletnieks@vt.edu \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=andi@firstfloor.org \
--cc=bdonlan@gmail.com \
--cc=bernie@codewiz.org \
--cc=cscott@cscott.net \
--cc=david@lang.hm \
--cc=ebiederm@xmission.com \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mrs@mythic-beasts.com \
--cc=netdev@vger.kernel.org \
--cc=remi@remlab.net \
--cc=socketcan@hartkopp.net \
--cc=zbr@ioremap.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.