[arch-general] sandboxing

sivmu sivmu at web.de
Thu Feb 2 18:57:38 UTC 2017



Am 02.02.2017 um 19:28 schrieb Leonid Isaev:
> On Thu, Feb 02, 2017 at 03:24:11AM +0100, sivmu wrote:
>> Please take a look at bubblewrap
>> https://github.com/projectatomic/bubblewrap
>> On the default arch kernel it does not use user namespaces.
> 
> And? Why do you point out such projects?
> 
> I already described an approach when one always runs browsers, pdf readers,
> etc, inside an lxc container, as an unprivileged user. That container resides
> on a filesystem mounted with nosuid (so things like ping, su, sudo won't work),
> and has a locked root account. On top of that, it connects to a xephyr session
> running on the host, to avoid X11 sniffing attacks.
> 
> I have been using such setup on all my desktops for over a year now. The only
> way to break out of such a container is a local kernel privilege escalation. Of
> course, having *privileged* userns *might* help because inside container UID=0
> will map to smth like UID=123456 on the host, but this doesn't seem worth doing
> given all the ussues with userns.


Form what I have seen so far, it is pretty simular to what bubblewrap
does and also provides isolation with namespaces.
I just noticed this can be used by unprivileged users too, so it might
be worth a try. Bubblewrap is however very lightweight which is a nice
feat I think. (Plus with a few hunderd lines of code I can actually
audit it to some extend)




> 
> Any distribution that says "we focus on security" is garbage because security
> depends on the user's threat model. A distro should provide the *basic* tools
> that enable the user to implement his security demands.
> 
> But tails is worse than garbage -- it is malicious, because it also focuses on
> privacy, forgetting that user's privacy is almost synonomous to his education.
> So, there is no such thing as "easy privacy" or "easy security".
> 
> And no, pls don't bring up the breakage that you call OpenBSD...

I won't, trust me :)
Although they do contribute to many successful security innovations that
get adapted by linux and others. openssh is also a great example of
secure coding and sandboxing.

Anyway, while i somewhat share your opinion that without the user
inclusion and threat model consideration, there is something missing.

But for what they intend tails does provide what they promise and its
not that bad.


> 
>> And chromium actually uses quite some nice sandboxing and has become
>> quite famous for being nearly unbreakable. They also have a bug bounty
>> programm, so if you find a way to break out of their sandbox you can get
>> up to 100k. Good luck :)
> 
> Why? My sandbox is better than that of chromium.

No your sandbox, as mine, is a cage that surrounds the contained
applications

Chromiums has a nice coat that fits perfectly and is adapted to the
applications. That is actually better.

> 
>> grsecurity has user namespaces enabled but restricted to privileged
>> users only. This allows privileged apps like docker to use this feature.
>> I think they know what they are doing.
> 
> Docker is not a security mechanism because its mission is totally different.

I did not say that.

> 
> Also, SECURITY != TOOL. So, unless you understand what grsecurity does, don't
> use it.

Although I know quite well what they are doing, I disagree with you
here. Grsecurity is in part a great feature because it does not need
konfoguration/interaction to work. Everyone can use it as long as the
don't mess with it without understanding what they do.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170202/7b029b25/attachment.asc>


More information about the arch-general mailing list