From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id EA0091396D0 for ; Fri, 22 Sep 2017 18:31:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1D8D92043E1; Fri, 22 Sep 2017 18:31:52 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id BAA591FC1B8 for ; Fri, 22 Sep 2017 18:31:51 +0000 (UTC) Received: from localhost (unknown [IPv6:2a01:e34:eeaa:6bd0:4ecc:6aff:fe03:1cfc]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: aballier) by smtp.gentoo.org (Postfix) with ESMTPSA id 0701E33BEA7 for ; Fri, 22 Sep 2017 18:31:49 +0000 (UTC) Date: Fri, 22 Sep 2017 20:31:44 +0200 From: Alexis Ballier To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Reviving the Sandbox project Message-ID: <20170922203144.2fe89545@gentoo.org> In-Reply-To: <1506101956.1104.3.camel@gentoo.org> References: <1506023769.15165.14.camel@gentoo.org> <1506025998.3293.1.camel@gentoo.org> <1506027262.15165.15.camel@gentoo.org> <1506028054.8561.1.camel@gentoo.org> <1506029117.15165.17.camel@gentoo.org> <1506053238.1115.0.camel@gentoo.org> <20170922125721.2fc2f243@gentoo.org> <1506093623.1104.1.camel@gentoo.org> <20170922191526.0c25a46e@gentoo.org> <1506101956.1104.3.camel@gentoo.org> Organization: Gentoo X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 4080c5f8-4c80-44a8-add7-0384ce29829c X-Archives-Hash: 5232f57b2d36b415d18534a206f971aa On Fri, 22 Sep 2017 19:39:16 +0200 Micha=C5=82 G=C3=B3rny wrote: > W dniu pi=C4=85, 22.09.2017 o godzinie 19=E2=88=B615=E2=80=89+0200, u=C5= =BCytkownik Alexis > Ballier napisa=C5=82: > > On Fri, 22 Sep 2017 17:20:23 +0200 > > Micha=C5=82 G=C3=B3rny wrote: > > =20 > > > W dniu pi=C4=85, 22.09.2017 o godzinie 12=E2=88=B657=E2=80=89+0200, u= =C5=BCytkownik Alexis > > > Ballier napisa=C5=82: =20 > > > > On Fri, 22 Sep 2017 06:07:18 +0200 > > > > Micha=C5=82 G=C3=B3rny wrote: > > > > =20 > > > > > W dniu czw, 21.09.2017 o godzinie 15=E2=88=B641=E2=80=89-0700, u= =C5=BCytkownik Matt > > > > > Turner napisa=C5=82: =20 > > > > > > On Thu, Sep 21, 2017 at 2:25 PM, Micha=C5=82 G=C3=B3rny > > > > > > wrote: =20 > > > > > > > Given that sandbox is utterly broken by design, I don't > > > > > > > really want to put too much effort in trying to make it a > > > > > > > little better. I'd rather put the minimal effort required > > > > > > > to make it not-much-worse. =20 > > > > > >=20 > > > > > > You said in your initial email that you weren't an expert > > > > > > in its internals, but here you say it's broken by design. > > > > > > Why do you think that? > > > > > > =20 > > > > >=20 > > > > > Because it uses LD_PRELOAD which is a huge hack and which > > > > > causes guaranteed issues we can't really fix. All we can do > > > > > is disable it for emacs, for compiler-rt and I'm afraid this > > > > > list will grow because overriding random library functions is > > > > > never a good idea.=20 > > > >=20 > > > > I think we're all ears for a better solution. There are probably > > > > much better ways to do sandboxing these days than 15 years ago. > > > >=20 > > > > LD_PRELOAD does not work with static binaries. Hence the non > > > > portable ptrace stuff. Hence bugs. Etc. The point is, that's the > > > > best we have now. > > > > =20 > > >=20 > > > I know of two obvious alternatives: ptrace and filesystem layer > > > (e.g. FUSE). > > >=20 > > > For the former, there's sydbox. I'm going to look into > > > integrating it into Portage when I have more time. =20 > >=20 > > From: https://github.com/alip/pinktrace/blob/master/configure.ac > > case "$host_cpu" in > > i[[3456]]86|pentium) > > x86?64*|amd64) > > ia64) > > powerpc64*) > > powerpc*) > > arm*) > > [add support for those arches] > > *) > > AC_MSG_RESULT([NO!]) > > AC_MSG_ERROR([Architecture $host_cpu is not supported by > > pinktrace]) ;; > >=20 > > sandbox keywords: > > 2.11-r5:0: ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc > > ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd > >=20 > >=20 > > Good luck adding the missing bits! > >=20 > > =20 > > > For the latter, I have writing one in TODO. But I'm not sure when > > > I'll have enough time to do work on it. =20 > >=20 > > Not sure how that would work, but you'll likely need some kind of > > chroot/container since you don't want to trust a random binary ran > > as root to respect environment variables. > > =20 >=20 > Environment variables? What for? >=20 I don't know :) I have no idea how you would provide a virtual FS that would be the only thing ever seen by all processes spawned.