Re: [gentoo-dev] Reviving the Sandbox project

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

From: R0b0t1 <r030t1@gmail.com>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Reviving the Sandbox project
Date: Sat, 23 Sep 2017 00:18:15 -0500	[thread overview]
Message-ID: <CAAD4mYjEx1ZXLKerbEKZ5oJ_EO0tkg6Jn55oVy64JbeK3E1YmA@mail.gmail.com> (raw)
In-Reply-To: <CAAr7Pr9+v=XZGAGZJZjpoj6ssnBXjjSbQMTWLGejQ5Jtybmb3A@mail.gmail.com>

On Fri, Sep 22, 2017 at 5:01 PM, Michael Orlitzky <mjo@gentoo.org> wrote:
> On 09/22/2017 05:51 PM, R0b0t1 wrote:
>> On Thu, Sep 21, 2017 at 2:56 PM, Michał Górny <mgorny@gentoo.org> wrote:
>>> [1]:https://wiki.gentoo.org/wiki/Project:Sandbox
>>>
>>
>> I think I understand, in principle, why a sandbox could be useful, but
>> would it not be more productive to follow up with projects which do
>> unexpected things to ask that they not do those things?
>>
>
> The sandbox isn't a security feature, it's more of a QA tool. How do you
> *know* when the upstream project does something wrong? See, for example,
>

I was aware of this part. I suggested sandboxing mechanisms which were
security related not for security purposes, but due to the fact that
their original design goals makes them more comprehensive. As a bonus,
they already exist.


On Fri, Sep 22, 2017 at 5:05 PM, Alec Warner <antarus@gentoo.org> wrote:
>
>
> On Fri, Sep 22, 2017 at 5:51 PM, R0b0t1 <r030t1@gmail.com> wrote:
>>
>> On Thu, Sep 21, 2017 at 2:56 PM, Michał Górny <mgorny@gentoo.org> wrote:
>> > [1]:https://wiki.gentoo.org/wiki/Project:Sandbox
>> >
>>
>> I think I understand, in principle, why a sandbox could be useful, but
>> would it not be more productive to follow up with projects which do
>> unexpected things to ask that they not do those things?
>
>
> So step one is figuring out what those things are. So the LD_PRELOAD sandbox
> isn't designed to be a "security boundary" (its trivially defeat-able[1]).
> Instead its designed to be a fairly straightforward detector of 'anomalous'
> behavior. It works by intercepting file-operations and comparing them
> against a whitelist.
>
> You can't tell people do stop doing unexpected things if you don't know
> their software is doing unexpected things.
>

Right, I suppose a sandboxing mechanism is the best way to detect
those changes. Is it necessary for it to be implemented with something
like ptrace or ld tricks? Like above, I ask because other mechanisms
are more comprehensive.

The mechanism used to implement containers, in particular, is
extremely interesting because it does (more or less) exactly what is
wanted. Look for the CLONE_NEW* options in `man 2 clone`. It is
possible containers are the best interface to this syscall, but I am
not sure how to evaluate them in the context they would be used.

Respectfully,
     R0b0t1

     prev parent reply	other threads:[~2017-09-23  5:18 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-21 19:56 [gentoo-dev] Reviving the Sandbox project Michał Górny
2017-09-21 20:33 ` Mart Raudsepp
2017-09-21 20:54   ` Michał Górny
2017-09-21 21:07     ` Mart Raudsepp
2017-09-21 21:25       ` Michał Górny
2017-09-21 22:41         ` Matt Turner
2017-09-22  4:07           ` Michał Górny
2017-09-22 10:57             ` Alexis Ballier
2017-09-22 11:38               ` Sergei Trofimovich
2017-09-22 12:04                 ` Alexis Ballier
2017-09-22 12:27                 ` Rich Freeman
2017-09-22 15:06                   ` James McMechan
2017-09-22 17:03                     ` Brian Dolbec
2017-09-22 17:16                       ` Patrick McLean
2017-09-22 15:20               ` Michał Górny
2017-09-22 17:15                 ` Alexis Ballier
2017-09-22 17:39                   ` Michał Górny
2017-09-22 18:31                     ` Alexis Ballier
2017-09-22 21:26                       ` Michał Górny
2017-09-21 21:28       ` Patrick McLean
2017-09-22 21:51 ` R0b0t1
2017-09-22 22:01   ` Michael Orlitzky
2017-09-22 22:05   ` Alec Warner
2017-09-23  5:18     ` R0b0t1 [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAAD4mYjEx1ZXLKerbEKZ5oJ_EO0tkg6Jn55oVy64JbeK3E1YmA@mail.gmail.com \
    --to=r030t1@gmail.com \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox