| 1 |
On Fri, Sep 22, 2017 at 5:01 PM, Michael Orlitzky <mjo@g.o> wrote: |
| 2 |
> On 09/22/2017 05:51 PM, R0b0t1 wrote: |
| 3 |
>> On Thu, Sep 21, 2017 at 2:56 PM, Michał Górny <mgorny@g.o> wrote: |
| 4 |
>>> [1]:https://wiki.gentoo.org/wiki/Project:Sandbox |
| 5 |
>>> |
| 6 |
>> |
| 7 |
>> I think I understand, in principle, why a sandbox could be useful, but |
| 8 |
>> would it not be more productive to follow up with projects which do |
| 9 |
>> unexpected things to ask that they not do those things? |
| 10 |
>> |
| 11 |
> |
| 12 |
> The sandbox isn't a security feature, it's more of a QA tool. How do you |
| 13 |
> *know* when the upstream project does something wrong? See, for example, |
| 14 |
> |
| 15 |
|
| 16 |
I was aware of this part. I suggested sandboxing mechanisms which were |
| 17 |
security related not for security purposes, but due to the fact that |
| 18 |
their original design goals makes them more comprehensive. As a bonus, |
| 19 |
they already exist. |
| 20 |
|
| 21 |
|
| 22 |
On Fri, Sep 22, 2017 at 5:05 PM, Alec Warner <antarus@g.o> wrote: |
| 23 |
> |
| 24 |
> |
| 25 |
> On Fri, Sep 22, 2017 at 5:51 PM, R0b0t1 <r030t1@×××××.com> wrote: |
| 26 |
>> |
| 27 |
>> On Thu, Sep 21, 2017 at 2:56 PM, Michał Górny <mgorny@g.o> wrote: |
| 28 |
>> > [1]:https://wiki.gentoo.org/wiki/Project:Sandbox |
| 29 |
>> > |
| 30 |
>> |
| 31 |
>> I think I understand, in principle, why a sandbox could be useful, but |
| 32 |
>> would it not be more productive to follow up with projects which do |
| 33 |
>> unexpected things to ask that they not do those things? |
| 34 |
> |
| 35 |
> |
| 36 |
> So step one is figuring out what those things are. So the LD_PRELOAD sandbox |
| 37 |
> isn't designed to be a "security boundary" (its trivially defeat-able[1]). |
| 38 |
> Instead its designed to be a fairly straightforward detector of 'anomalous' |
| 39 |
> behavior. It works by intercepting file-operations and comparing them |
| 40 |
> against a whitelist. |
| 41 |
> |
| 42 |
> You can't tell people do stop doing unexpected things if you don't know |
| 43 |
> their software is doing unexpected things. |
| 44 |
> |
| 45 |
|
| 46 |
Right, I suppose a sandboxing mechanism is the best way to detect |
| 47 |
those changes. Is it necessary for it to be implemented with something |
| 48 |
like ptrace or ld tricks? Like above, I ask because other mechanisms |
| 49 |
are more comprehensive. |
| 50 |
|
| 51 |
The mechanism used to implement containers, in particular, is |
| 52 |
extremely interesting because it does (more or less) exactly what is |
| 53 |
wanted. Look for the CLONE_NEW* options in `man 2 clone`. It is |
| 54 |
possible containers are the best interface to this syscall, but I am |
| 55 |
not sure how to evaluate them in the context they would be used. |
| 56 |
|
| 57 |
Respectfully, |
| 58 |
R0b0t1 |
Archives