Re: Restrict to a fixed Internet domain in a sandbox

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've realized that this would not work in the case of DNS round-robin load balancing, because the IP used by a sandboxed program may differ from the IP set by my application (which calls the sandbox).

So now I propose the following alternative

struct full_host_desc_t {
  struct sockaddr *ADDR, socklen_t LENGTH;
};

int selinux_restrict_domains(struct full_host_desc_t *hosts, unsigned int num_hosts);

Maybe there can be constructed a more efficient API.

09.01.2014, 21:02, "Victor Porton" <porton@xxxxxxxx>:
> Sorry, it should restrict not only domain but also port and protocol.
>
> So I propose this new syscall to restrict an application by "same-origin" policy:
>
> int selinux_restrict_domain(struct sockaddr *ADDR, socklen_t LENGTH);
>
> I am not sure that it is the best API specification. Please comment.
>
> Note that probably all connections we need are TCP (not UDP), but we can support all protocols for completeness.
>
> 09.01.2014, 18:59, "Victor Porton" <porton@xxxxxxxx>:
>
>>  09.01.2014, 18:39, "Victor Porton" <porton@xxxxxxxx>:
>>>   I remind that sandbox is implemented in Fedora using SELinux.
>>>
>>>   It would be useful to restrict sandboxed application to connect only to one, programmatically specified Internet domain (just like Java and JavaScript security).
>>>
>>>   It seems it is impossible with current SELinux.
>>>
>>>   Could you add necessary features? Please!
>>  You could add a syscall like:
>>
>>  int selinux_restrict_domain(const char *domain);
>>
>>  (We could modify this interface to restrict to a finite list of domains instead of one domain, but personally I don't need this.)
>>
>>  --
>>  Victor Porton - http://portonvictor.org
>
> --
> Victor Porton - http://portonvictor.org
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.

-- 
Victor Porton - http://portonvictor.org

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux