Sandboxing Debian [was: Re: chroot administration]

To: Russell Coker <russell@coker.com.au>
Cc: debian-devel@lists.debian.org, spotter@cs.columbia.edu
Subject: Sandboxing Debian [was: Re: chroot administration]
From: Sam Vilain <sv@easyspace.com>
Date: Thu, 15 Aug 2002 11:50:34 +0100
Message-id: <[🔎] 20020815115034.58d898bc.sv@easyspace.com>
In-reply-to: <[🔎] 20020814125946.526F08785@lyta.coker.com.au>
References: <[🔎] 20020813214849.72BED6E9@lyta.coker.com.au> <[🔎] 1029296116.28857.3.camel@zaphod> <[🔎] 20020814115014.5dc5ce3b.sv@easyspace.com> <[🔎] 20020814125946.526F08785@lyta.coker.com.au>

Russell Coker <russell@coker.com.au> wrote:

> > http://www.solucorp.qc.ca/miscprj/s_context.hc
> Is someone going to package this for Debian?

One person has announced that he is going to try on the list, though
they are not an official debian developer.  I have made a package, too,
and will make it available soon.

> There are some limitations with it.  The biggest limitation when
> compared to my SE Linux work is it's lack of flexibility.  I can
> setup a SE Linux chroot, then do a bind mount of /home/www, and
> grant read-only access to the files and directories of user_home_t
> and search access to directories of type user_home_dir_t.

This stuff is accomplished through file immutability and Linux
capabilities.  It's not as flexible as the system you're describing
sounds, but it does work with standard Linux filesystem features and
represents a smaller departure from UNIX conventions.

> The advantage of the "security contexts" system described on that
> web page is a comprehensive solution to the IP address issue (I've
> got a design but no working code so far).  I don't expect to ever
> get a solution that works as well as their solution unless/until new
> features are added to SE Linux.

It's not perfect, though - due to a shocking case of C programmer's
disease.

One big problem is what to do with the `localhost' interface.
Currently, you can't have a guaranteed private interface and expect
applications to work.

This is because the IP jailing works by intercepting the `bind' call,
and remapping binds to 0.0.0.0 to the first IP address listed in our
`ip chroot', as well as binds to 127.0.0.1.

I tried adding an extra IP address - 127.0.0.X - to the IP chroot and
defining that as `localhost' in /etc/hosts, and eventually after
finding that SSH local port forwarding (to pick on an application for
which it didn't work) was always trying to bind to 127.0.0.1, I found
this gem in glibc:

/* Network number for local host loopback.  */
#define	IN_LOOPBACKNET		127
/* Address to loopback in software to local host.  */
#ifndef INADDR_LOOPBACK
# define INADDR_LOOPBACK	((in_addr_t) 0x7f000001) /* Inet 127.0.0.1.  */
#endif

so the getaddrinfo() call will always return 127.0.0.1 for the local
host.  Which is a bit of an arse really, but I think I'd probably just
get laughed at or ignored if I logged a bug against it.

But if you don't mind `localhost' being the same as your external IP
address there's no problem.

Reply to:

Follow-Ups:
- Re: Sandboxing Debian [was: Re: chroot administration]
  - From: Russell Coker <russell@coker.com.au>

References:
- chroot administration
  - From: Russell Coker <russell@coker.com.au>
- Re: chroot administration
  - From: Shaya Potter <spotter@cs.columbia.edu>
- Re: chroot administration
  - From: Sam Vilain <sv@easyspace.com>
- Re: chroot administration
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: Bug#156503: microsoft changed its policy, msttcorefonts broken
Next by Date: wanted sponsor for guardian package
Previous by thread: Re: chroot administration
Next by thread: Re: Sandboxing Debian [was: Re: chroot administration]
Index(es):
- Date
- Thread