Re: Restrict to a fixed Internet domain in a sandbox

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



10.01.2014, 20:48, "Stephen Smalley" <sds@xxxxxxxxxxxxx>:
> On 01/10/2014 01:41 PM, Victor Porton wrote:
>
>>  09.01.2014, 21:35, "Stephen Smalley" <sds@xxxxxxxxxxxxx>:
>>>  On 01/09/2014 02:31 PM, Victor Porton wrote:
>>>>   09.01.2014, 21:25, "Stephen Smalley" <sds@xxxxxxxxxxxxx>:
>>>>>   On 01/09/2014 11:37 AM, Victor Porton wrote:
>>>>>>    I remind that sandbox is implemented in Fedora using SELinux.
>>>>>>
>>>>>>    It would be useful to restrict sandboxed application to connect only to one, programmatically specified Internet domain (just like Java and JavaScript security).
>>>>>>
>>>>>>    It seems it is impossible with current SELinux.
>>>>>>
>>>>>>    Could you add necessary features? Please!
>>>>>   I'm not aware of any missing kernel features required to support your
>>>>>   functionality.  I think all you are missing is two userspace components:
>>>>   AFAIK, there are no support for this in Linux kernel.
>>>>
>>>>   It is why I advise to add a new syscall (see my previous message).
>>>>>    a library that provides whatever interface you design, and a daemon
>>>>>   that receives the specification in whatever form you design and turns it
>>>>>   into a set of SELinux and iptables SECMARK/CONNSECMARK rules to label
>>>>>   the packets so that SELinux can mediate them accordingly, and loads that
>>>>>   into the kernel for enforcement.
>>>>   I've already explained some reasons why iptables solution would be wrong. One of the reasons is that this would confuse a system administrator by appearance of new unexpected rules, the automatically added rules would also disappear when iptables script is reloaded, what could make errors for regular users. To use iptables this way seems a really bad idea.
>>>  For SECMARK/CONNSECMARK, there is a separate dedicated security table to
>>>  avoid such conflicts.
>>  We need to make a separate ID for every sandbox process (with all its children) (there may be more than one, even run simultaneously by the same user). This ID should be in some way passed to NetFilter. Does iptables provide a way to add such an ID to the rules? (Moreover we need to somehow ensure that this ID would not interact with rules created by other software packages or by an administrator?)
>>
>>  Can it be safely done with iptables? Please be specific.
>
> SECMARK/CONNSECMARK is just a way to assign a SELinux security context
> to packets based on various iptables selectors.  Then in SELinux policy,
> you can control sending/receiving packets based on those security
> contexts and the security context of the sending/receiving process.  You
> can obviously generate a unique security context for each sandbox; the
> sandbox program already does that.

I understand this.

I just want to make sure that my daemon would be able to remove rules created by particular sandbox (when the sandbox exists). Can it be done by `iptables -D` with a complete security content (including the category, which is different for each sandbox)? I am not sure whether -D will deal with rules specified by (among other data) security context. Or can my daemon get specific rulenum for each rule it creates (to be able to remove them when the sandbox exists)?

-- 
Victor Porton - http://portonvictor.org

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux