1 |
On Fri, Sep 22, 2017 at 5:51 PM, R0b0t1 <r030t1@×××××.com> wrote: |
2 |
|
3 |
> On Thu, Sep 21, 2017 at 2:56 PM, Michał Górny <mgorny@g.o> wrote: |
4 |
> > [1]:https://wiki.gentoo.org/wiki/Project:Sandbox |
5 |
> > |
6 |
> |
7 |
> I think I understand, in principle, why a sandbox could be useful, but |
8 |
> would it not be more productive to follow up with projects which do |
9 |
> unexpected things to ask that they not do those things? |
10 |
> |
11 |
|
12 |
So step one is figuring out what those things are. So the LD_PRELOAD |
13 |
sandbox isn't designed to be a "security boundary" (its trivially |
14 |
defeat-able[1]). Instead its designed to be a fairly straightforward |
15 |
detector of 'anomalous' behavior. It works by intercepting file-operations |
16 |
and comparing them against a whitelist. |
17 |
|
18 |
You can't tell people do stop doing unexpected things if you don't know |
19 |
their software is doing unexpected things. |
20 |
|
21 |
[1] So defeatable in fact that ebuilds have an API to modify the boundaries |
22 |
of the sandbox and even if the enforcement was stronger (e.g. via |
23 |
seccomp-bpf) there is still the idea that ebuilds can rather arbitrarily |
24 |
alter the sandbox boundaries...so nothing really prevents application code |
25 |
from also altering the boundaries in the current design; I suspect fixing |
26 |
this would be fairly tricky without some major changes. |
27 |
|
28 |
-A |
29 |
|
30 |
|
31 |
> In the sense that Portage can in its entirely be isolated in various |
32 |
> ways (user groups, containers, virtual machines, etc) I am not sure |
33 |
> adding another layer is the most expedient option, especially if it is |
34 |
> hard to maintain. |
35 |
> |
36 |
> I once saw Java developers talking about introducing changes to an |
37 |
> enterprise program by not modifying the source, but keeping the source |
38 |
> as is, and then maintaining a set of reflection-based patches that |
39 |
> would modify the program after it was loaded but before it was run. |
40 |
> This did not make sense to me, and it seems a lot like what is being |
41 |
> done with the sandbox. |
42 |
> |
43 |
> In some cases that can make sense, I suppose. I am not a very smart |
44 |
> man, so I would not know the necessary burden of proof. |
45 |
> |
46 |
> Respectfully, |
47 |
> R0b0t1 |
48 |
> |
49 |
> |