Re: [gentoo-dev] Reviving the Sandbox project

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

From: Alec Warner <antarus@gentoo.org>
To: Gentoo Dev <gentoo-dev@lists.gentoo.org>
Subject: Re: [gentoo-dev] Reviving the Sandbox project
Date: Fri, 22 Sep 2017 18:05:19 -0400	[thread overview]
Message-ID: <CAAr7Pr9+v=XZGAGZJZjpoj6ssnBXjjSbQMTWLGejQ5Jtybmb3A@mail.gmail.com> (raw)
In-Reply-To: <CAAD4mYjJi1xuORbO4KQh8q+S7WsZ93P9-s+yatvqvqH-n4rPPw@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2097 bytes --]

On Fri, Sep 22, 2017 at 5:51 PM, R0b0t1 <r030t1@gmail.com> wrote:

> On Thu, Sep 21, 2017 at 2:56 PM, Michał Górny <mgorny@gentoo.org> wrote:
> > [1]:https://wiki.gentoo.org/wiki/Project:Sandbox
> >
>
> I think I understand, in principle, why a sandbox could be useful, but
> would it not be more productive to follow up with projects which do
> unexpected things to ask that they not do those things?
>

So step one is figuring out what those things are. So the LD_PRELOAD
sandbox isn't designed to be a "security boundary" (its trivially
defeat-able[1]). Instead its designed to be a fairly straightforward
detector of 'anomalous' behavior. It works by intercepting file-operations
and comparing them against a whitelist.

You can't tell people do stop doing unexpected things if you don't know
their software is doing unexpected things.

[1] So defeatable in fact that ebuilds have an API to modify the boundaries
of the sandbox and even if the enforcement was stronger (e.g. via
seccomp-bpf) there is still the idea that ebuilds can rather arbitrarily
alter the sandbox boundaries...so nothing really prevents application code
from also altering the boundaries in the current design; I suspect fixing
this would be fairly tricky without some major changes.

-A

> In the sense that Portage can in its entirely be isolated in various
> ways (user groups, containers, virtual machines, etc) I am not sure
> adding another layer is the most expedient option, especially if it is
> hard to maintain.
>
> I once saw Java developers talking about introducing changes to an
> enterprise program by not modifying the source, but keeping the source
> as is, and then maintaining a set of reflection-based patches that
> would modify the program after it was loaded but before it was run.
> This did not make sense to me, and it seems a lot like what is being
> done with the sandbox.
>
> In some cases that can make sense, I suppose. I am not a very smart
> man, so I would not know the necessary burden of proof.
>
> Respectfully,
>      R0b0t1
>
>

[-- Attachment #2: Type: text/html, Size: 2834 bytes --]

next prev parent reply	other threads:[~2017-09-22 22:05 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-21 19:56 [gentoo-dev] Reviving the Sandbox project Michał Górny
2017-09-21 20:33 ` Mart Raudsepp
2017-09-21 20:54   ` Michał Górny
2017-09-21 21:07     ` Mart Raudsepp
2017-09-21 21:25       ` Michał Górny
2017-09-21 22:41         ` Matt Turner
2017-09-22  4:07           ` Michał Górny
2017-09-22 10:57             ` Alexis Ballier
2017-09-22 11:38               ` Sergei Trofimovich
2017-09-22 12:04                 ` Alexis Ballier
2017-09-22 12:27                 ` Rich Freeman
2017-09-22 15:06                   ` James McMechan
2017-09-22 17:03                     ` Brian Dolbec
2017-09-22 17:16                       ` Patrick McLean
2017-09-22 15:20               ` Michał Górny
2017-09-22 17:15                 ` Alexis Ballier
2017-09-22 17:39                   ` Michał Górny
2017-09-22 18:31                     ` Alexis Ballier
2017-09-22 21:26                       ` Michał Górny
2017-09-21 21:28       ` Patrick McLean
2017-09-22 21:51 ` R0b0t1
2017-09-22 22:01   ` Michael Orlitzky
2017-09-22 22:05   ` Alec Warner [this message]
2017-09-23  5:18     ` R0b0t1

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAAr7Pr9+v=XZGAGZJZjpoj6ssnBXjjSbQMTWLGejQ5Jtybmb3A@mail.gmail.com' \
    --to=antarus@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox