Linux sandbox review

Question

Linux sandbox review

Opened this issue 10 years ago · 20 comments

Answer 1 · 2015-03-05T19:18:22.000Z

seccomp.rs:

#[cfg(target_arch="x86")]
const ARCH_NR: u32 = AUDIT_ARCH_X86;
#[cfg(target_arch="x86_64")]
const ARCH_NR: u32 = AUDIT_ARCH_X86_64;
#[cfg(target_arch="arm")]
const ARCH_NR: u32 = AUDIT_ARCH_ARM;
// ...
const __AUDIT_ARCH_64BIT: u32 = 0x8000_0000;
const __AUDIT_ARCH_LE: u32 = 0x4000_0000;
const AUDIT_ARCH_X86_64: u32 = EM_X86_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE;

Can you explain what these are for?

Answer 2 · 2015-03-05T19:19:37.000Z

This needs a comment:

/// Syscalls that are always allowed.
static ALLOWED_SYSCALLS: [u32; 22] = [
    ...
    NR_unknown_318,
}

Answer 3 · 2015-03-05T19:20:54.000Z

I'd like to whitelist advice values for madvise. Linux has a habit of adding weird features to madvise that are not really "memory advice".

Answer 4 · 2015-03-05T19:21:43.000Z

A quasiquote macro for BPF programs would be pretty sweet ^_^

Answer 5 · 2015-03-05T19:22:47.000Z

Can we whitelist socket ops by address family, too? You can do a lot of weird stuff with sockets — DBus, kernel crypto APIs, and even more obscure things where kernel 0days are likely to hide.

Answer 6 · 2015-03-05T19:31:56.000Z

I'd also like a test that tries every forbidden syscall number, to guard against (some) bugs in the BPF code.

Answer 7 · 2015-03-05T19:36:55.000Z

Is there a BPF disassembler we could use to look at some of the generated programs?

Answer 8 · 2015-03-05T19:37:57.000Z

Can we whitelist socket ops by address family, too?

nm, I see you're doing that already:

// Only allow Unix, IPv4, IPv6, and netlink route sockets to be created.

Why do we need to allow route sockets? Are they used by unprivileged processes to query the routing table?

Answer 9 · 2015-03-05T19:43:13.000Z

let src = CString::from_slice(b"tmpfs");
...
let tmpfs = CString::from_slice(b"tmpfs");

These could be the same variable, right?

Answer 10 · 2015-03-05T19:45:02.000Z

mount(src.as_ptr(), dest.as_ptr(), tmpfs.as_ptr(), MS_NOATIME, ptr::null())

How about MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID just for good measure? Some of those could cause problems, though.

Answer 11 · 2015-03-05T19:56:22.000Z

Is there code to close unwanted file descriptors before entering the sandbox? It would be good to iterate over all fd's in case some random library has opened something.

Answer 12 · 2015-03-05T19:57:41.000Z

Everything else in gaol/platform/linux looks good to me.

Answer 13 · 2015-03-05T20:03:29.000Z

Oh, do we want to set a umask?

Answer 14 · 2015-03-05T20:14:51.000Z

prctl(PR_SET_DUMPABLE, 0) seems like another miscellaneous safeguard that could be slightly useful.

Answer 15 · 2015-03-06T20:26:43.000Z

cc rust-lang/rust#12148

Answer 16 · 2015-03-09T17:46:30.000Z

@kmcallister Yeah, netlink route is used for stuff like gethostbyname, unfortunately.

Answer 17 · 2015-03-09T17:49:59.000Z

@kmcallister I don't actually know why we have to validate architectures (since it seems obvious that you can only call syscalls on the same architecture you're on?) but Chromium does it so I did it too.

Answer 18 · 2015-03-09T17:59:52.000Z

@kmcallister It's actually important on some OS's to keep file descriptors open when entering the sandbox. Most notably, Chromium does this on Windows, because some OS APIs (e.g. fonts, IIRC) have to "warm up" by opening some handles, but which handles those are vary from OS release to OS release, so you can't really whitelist them portably.

Answer 19 · 2015-03-09T20:35:05.000Z

@kmcallister Comments addressed. Here's a disassembly of the BPF for a restrictive filter: https://gist.github.com/anonymous/6988b4b8456678cb58f6

Answer 20 · 2015-12-02T15:01:00.000Z

Firejail could be a source of inspiration.