WingNews logo WingNews
top | item 46762708

(no title)

ijustlovemath | 1 month ago

I've found it interesting that systemd and Linux user permissions/groups never come into the sandboxing discussions. They're both quite robust, offer a good deal of customization in concert,and by their nature, are fairly low cost.

discuss

order

nextaccountic|1 month ago

Unix permissions were written at a time where the (multi user) system was protecting itself from the user. Every program ran at the same privileges of the user, because it wasn't a security consideration that maybe the program doesn't do what the user thinks it does. That's why in the list of classic Unix tools there is nothing to sandbox programs or anything like that, it was a non issue

And today this is.. not sufficient. What we require today is to run software protected from each other. For quite some time I tried to use Unix permissions for this (one user per application I run), but it's totally unworkable. You need a capabilities model, not an user permission model

Anyway I already linked this elsewhere in this thread but in this comment it's a better fit https://xkcd.com/1200/

nesarkvechnep|1 month ago

There's FreeBSD's Capsicum. It's a full-blown sandboxing mode and capability framework. Unfortunately, Linux didn't adopt it and chose chaos.

curt15|1 month ago

>And today this is.. not sufficient. What we require today is to run software protected from each other. For quite some time I tried to use Unix permissions for this (one user per application I run), but it's totally unworkable. You need a capabilities model, not an user permission model

Unix permissions remain a fundamental building block of Android's sandbox. Each app runs as its own unix user.

theteapot|1 month ago

I feel like apparmor is getting there, very, very slowly. Just need every package to come with a declarative profile or fallback to a strict default profile.

mike_hearn|1 month ago

Yes but systemd is a full blown sandboxing system, and he said the two working in concert.

moezd|1 month ago

This assumes people know more than just writing Dockerfiles and push straight to production. This is still a rarity.

ijustlovemath|1 month ago

Nowadays, it's fairly simple to ask for a unit file and accompanying bash script/tests for correctness. I think the barrier in that sense has practically vanished.

vbezhenar|1 month ago

Linux kernel is ridden with local privilege escalation vulnerabilities. This approach works for trusted software that you just want to contain, but it won't work for malicious software.

viraptor|1 month ago

Ridden? There are issues from time to time, but it's not like you can grab the latest, patched Ubuntu LTS and escalate from an unprivileged seccomp sandbox that doesn't include crazy device files.

srcreigh|1 month ago

It shouldn’t come up because it’s not sufficient. How would systemd prevent local JavaScript code from sending DNS, http, webrtc network requests when it’s opened in the users browser?

pjmlp|1 month ago

Because that is actually UNIX user permissions/groups, with a long history of what works, and what doesn't?

ape4|1 month ago

cgroups are part of whats used to implement docker and podman

ijustlovemath|1 month ago

True, and they do indeed offer an additional layer of protection (but with some nontrivial costs). All (non-business killing) avenues should be used in pursuit of defense in depth when it comes to sandboxing. You could even throw a flatpak or firejail in, but that starts to degrade performance in noticeable ways (though I've found it's nice to strive for this in your CI).

hendry|1 month ago

Agreed! systemd nspawn is actually pretty awesome, though not many people use it.