| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 May 2009 12:54:03 -0400 From: Eric Paris <eparis@...hat.com> To: linux-kernel@...r.kernel.org Subject: Introducing SELinux sandbox, confining untrusted binaries Dan and I (mostly Dan) have started to play with using SELinux to confine random untrusted binaries. The program is called 'sandbox.' http://danwalsh.livejournal.com/28545.html The idea is to allow administrators to lock down tightly untrusted applications in a sandbox where they can not use the network and open/create any file that is not handed to the process. Can be used to protect a system while allowing it to run some untrusted binary. A quick dirty example of this sandbox would be to confine the 'cut' binary. If I wanted to create a file of users on my system from the /etc/passwd file, I could try > sandbox cut -d: -f1 /etc/passwd > /tmp/users /bin/cut: /etc/passwd: Permission denied Which shows the sandbox domain is not allowed to open /etc/passwd But I can execute > cat /etc/passwd | sandbox cut -d: -f1 > /tmp/users And it works just fine. Inside the sandbox cut wasn't allowed to get to /etc/passwd. But in the second example since /etc/passwd was opened by the shell and handed to cut inside the sandbox it works. I'd love to hear feedback, suggestions, problems, enhancements, thoughts, complaints, things of that nature! Check it out, SELinux confinement made easy. -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists