1 |
On Fri, Sep 22, 2017 at 5:01 PM, Michael Orlitzky <mjo@g.o> wrote: |
2 |
> On 09/22/2017 05:51 PM, R0b0t1 wrote: |
3 |
>> On Thu, Sep 21, 2017 at 2:56 PM, Michał Górny <mgorny@g.o> wrote: |
4 |
>>> [1]:https://wiki.gentoo.org/wiki/Project:Sandbox |
5 |
>>> |
6 |
>> |
7 |
>> I think I understand, in principle, why a sandbox could be useful, but |
8 |
>> would it not be more productive to follow up with projects which do |
9 |
>> unexpected things to ask that they not do those things? |
10 |
>> |
11 |
> |
12 |
> The sandbox isn't a security feature, it's more of a QA tool. How do you |
13 |
> *know* when the upstream project does something wrong? See, for example, |
14 |
> |
15 |
|
16 |
I was aware of this part. I suggested sandboxing mechanisms which were |
17 |
security related not for security purposes, but due to the fact that |
18 |
their original design goals makes them more comprehensive. As a bonus, |
19 |
they already exist. |
20 |
|
21 |
|
22 |
On Fri, Sep 22, 2017 at 5:05 PM, Alec Warner <antarus@g.o> wrote: |
23 |
> |
24 |
> |
25 |
> On Fri, Sep 22, 2017 at 5:51 PM, R0b0t1 <r030t1@×××××.com> wrote: |
26 |
>> |
27 |
>> On Thu, Sep 21, 2017 at 2:56 PM, Michał Górny <mgorny@g.o> wrote: |
28 |
>> > [1]:https://wiki.gentoo.org/wiki/Project:Sandbox |
29 |
>> > |
30 |
>> |
31 |
>> I think I understand, in principle, why a sandbox could be useful, but |
32 |
>> would it not be more productive to follow up with projects which do |
33 |
>> unexpected things to ask that they not do those things? |
34 |
> |
35 |
> |
36 |
> So step one is figuring out what those things are. So the LD_PRELOAD sandbox |
37 |
> isn't designed to be a "security boundary" (its trivially defeat-able[1]). |
38 |
> Instead its designed to be a fairly straightforward detector of 'anomalous' |
39 |
> behavior. It works by intercepting file-operations and comparing them |
40 |
> against a whitelist. |
41 |
> |
42 |
> You can't tell people do stop doing unexpected things if you don't know |
43 |
> their software is doing unexpected things. |
44 |
> |
45 |
|
46 |
Right, I suppose a sandboxing mechanism is the best way to detect |
47 |
those changes. Is it necessary for it to be implemented with something |
48 |
like ptrace or ld tricks? Like above, I ask because other mechanisms |
49 |
are more comprehensive. |
50 |
|
51 |
The mechanism used to implement containers, in particular, is |
52 |
extremely interesting because it does (more or less) exactly what is |
53 |
wanted. Look for the CLONE_NEW* options in `man 2 clone`. It is |
54 |
possible containers are the best interface to this syscall, but I am |
55 |
not sure how to evaluate them in the context they would be used. |
56 |
|
57 |
Respectfully, |
58 |
R0b0t1 |