Sandboxing in Linux

Sandboxing in Linux

Along with the other sugestions you might find this useful.

http://www.eelis.net/geordi/

This is from http://codepad.org/about, codepad.org's about page.

Run an untrusted C program in a sandbox in Linux that prevents it from opening files, forking, etc.?

I have used Systrace to sandbox untrusted programs both interactively and in automatic mode. It has a ptrace()-based backend which allows its use on a Linux system without special privileges, as well as a far faster and more poweful backend which requires patching the kernel.

It is also possible to create a sandbox on Unix-like systems using chroot(1), although that is not quite as easy or secure. Linux Containers and FreeBSD jails are a better alternative to chroot. Another alternative on Linux is to use a security framework like SELinux or AppArmor, which is what I would propose for production systems.

We would be able to help you more if you told as what exactly it is that you want to do.

EDIT:

Systrace would work for your case, but I think that something based on the Linux Security Model like AppArmor or SELinux is a more standard, and thus preferred, alternative, depending on your distribution.

EDIT 2:

While chroot(1) is available on most (all?) Unix-like systems, it has quite a few issues:

  • It can be broken out of. If you are going to actually compile or run untrusted C programs on your system, you are especially vulnerable to this issue. And if your students are anything like mine, someone WILL try to break out of the jail.

  • You have to create a full independent filesystem hierarchy with everything that is necessary for your task. You do not have to have a compiler in the chroot, but anything that is required to run the compiled programs should be included. While there are utilities that help with this, it's still not trivial.

  • You have to maintain the chroot. Since it is independent, the chroot files will not be updated along with your distribution. You will have to either recreate the chroot regularly, or include the necessary update tools in it, which would essentially require that it be a full-blown Linux distribution. You will also have to keep system and user data (passwords, input files e.t.c.) synchronized with the host system.

  • chroot() only protects the filesystem. It does not prevent a malicious program from opening network sockets or a badly-written one from sucking up every available resource.

The resource usage problem is common among all alternatives. Filesystem quotas will prevent programs from filling the disk. Proper ulimit (setrlimit() in C) settings can protect against memory overuse and any fork bombs, as well as put a stop to CPU hogs. nice(1) can lower the priority of those programs so that the computer can be used for any tasks that are deemed more important with no problem.

Linux / Fedora sandboxing processes and filesystem changes

I think you are on the right track with Linux containers. The feature you want is a Union Mount, where processes see a layered filesystem, and write only to the top layer. Docker for example uses union mounts, but starts with a file system image as the lowest layer, not the native '/' fs of the host. So I beleive what you want to do is mount '/' into somewhere /var/mounts/xyzzy say, mount another filesystem on top using UnionFS, aufs or OverlayFS, then chroot the environment to /var/mounts/xyzzy so nothing escapes. This is all possible, though if you could find a way to use docker, say by building an image of with whatever files you need, you might be up and running a lot faster.

Best way to sandbox Apache on Linux

Chroot jails can be really insecure when you are running a complete sandbox environment. Attackers have complete access to kernel functionality and for example may mount drives to access the "host" system.

I would suggest that you use linux-vserver. You can see linux-vserver as an improved chroot jail with a complete debian installation inside. It is really fast since it is running within one single kernel, and all code is executed natively.

I personally use linux-vserver for seperation of all my services and there are only barely noticeable performance differences.

Have a look at the linux-vserver wiki for installation instructions.

regards, Dennis


Related Topics

How to Integrate Ajax With Django Applications

Difference Between Venv, Pyvenv, Pyenv, Virtualenv, Virtualenvwrapper, Pipenv, etc

Environment Variables When Script Run by Cron

How to Parse the Output of /Proc/Net/Dev into Key:Value Pairs Per Interface Using Python

Better Way to Script Usb Device Mount in Linux

Finding the Command for a Specific Pid in Linux from Python

How to See Pip Package Sizes Installed

Importerror: Libtk8.6.So: Cannot Open Shared Object File: No Such File or Directory

How to Return a Value from a Shell Script in a Python Script

Understanding Python Fork and Memory Allocation Errors

How to Import the Class Within the Same Directory or Sub Directory

How to Get a List of Locally Installed Python Modules

Read File with Timeout in Python

Python Convert Microsoft Office Docs to Plain Text on Linux

Python: What Are the Nearest Linux and Osx Equivalents of Winsound.Beep

How to Benchmark Part of Tensorflow Graph

Differencebetween C.Utf-8 and En_Us.Utf-8 Locales

Python Valueerror: Embedded Null Byte When Reading Png File from Bash Pipe


Leave a reply



Submit