Contributed by tbert on from the taming-the-beast dept.
Theo de Raadt (deraadt@) has pulled back the curtain on his entry into the process sandboxing contest:
I have been working for a while on a subsystem to restrict programs into a "reduced feature operating model". Other people have made such systems in the past, but I have never been happy with them. I don't think I am alone.
Generally there are two models of operation. The first model requires a major rewrite of application software for effective use (ie. capsicum). The other model in common use lacks granularity, and allows or denies an operation throughout the entire lifetime of a process. As a result, they lack differentiation between program "initialization" versus "main servicing loop". systrace had the same problem. My observation is that programs need a large variety of calls during initialization, but few in their main loops. Some BPF-style approaches have showed up. So you need to write a program to observe your program, to keep things secure? That is insane. So I asked myself if I could invent a simple system call, which people would place directly into programs, between initialization and main-loop. Secondly, I wondered what kind of semantics such programs would need. Not just directly themselves, but for DNS and other macro operations. Anyways, enough explanation. A manual page follows. Then the kernel diff. Finally, a sample of 29 userland programs protected to various degrees by using it: cat pax ps dmesg ping ping6 dc diff finger from id kdump logger script sed signify uniq w wc whois arp authpf bgpd httpd ntpd relayd syslogd tcpdump traceroute Not all these are perfect, but it shows the trend. The changes are fairly simple. In the simplest non-network programs, network access is disabled. In simple network programs, file access goes away. That is the trend. Sometimes a program is easily modified, making it better, because the integration of tame hints at an improvement which will make it tighter under tame. sed is an example...
The full email, as stated, contains the man page and the diff to make this happen. For those of us wanting an easily-retrofitted way of sandboxing applications, this looks like a huge step forward.
(Comments are closed)