Secure and Simple Sandboxing in SELinux

Similar documents
SELinux Sandbox. Daniel Walsh Red Hat

OS Security III: Sandbox and SFI

SELinux Updates. Thorsten Scherf Senior Consultant. Red Hat Global Professional Services Berlin / Germany

Operating system security models

Linux Kernel Security Overview

Secure Architecture Principles

Flatpak. Apps on the Linux desktop. Alexander Larsson Red Hat

The Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency

Secure Architecture Principles

Secure Architecture Principles

Flatpak a technical walk-through. Alexander Larsson, Red Hat

Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He

Linux Kernel Security

Secure Software Programming and Vulnerability Analysis

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Advanced Systems Security: Ordinary Operating Systems

Singularity in CMS. Over a million containers served

THE ROUTE TO ROOTLESS

Overlayfs And Containers. Miklos Szeredi, Red Hat Vivek Goyal, Red Hat

Secure Architecture Principles

systemd integration and user management José Bollo

Landlock LSM: toward unprivileged sandboxing

HTCondor: Virtualization (without Virtual Machines)

A PRACTICAL INTRODUCTION TO CONTAINER SECURITY

Secure Architecture Principles

Tizen-Meta as Security and Connectivity Layers For Yocto Project

6.858 Final Project Writeup

Multi-tenancy Virtualization Challenges & Solutions. Daniel J Walsh Mr SELinux, Red Hat Date

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

SELinux. Daniel J Walsh SELinux Lead Engineer

SE Linux Implementation LINUX20

OPENSHIFT GEARS. How to run arbitrary code on you servers and still sleep at night. MIKE McGrath

SELinux Introduction. Jason Zaman FOSSASIA 2017 March 17th - 19th blog.perfinion.com

SELi He nux a dlin in F e edora 8 Dan N W am als e h Red D H a at te

Docker and Security. September 28, 2017 VASCAN Michael Irwin

6.858 Lecture 4 OKWS. Today's lecture: How to build a secure web server on Unix. The design of our lab web server, zookws, is inspired by OKWS.

X.org security. Recap, vulnerabilities, attacks and discussions on the graphic stack s security. Martin Peres & Timothée Ravier

SELinux: A New Approach to Secure Systems

Security Enhanced Linux

An Overview of Security in the FreeBSD Kernel. Brought to you by. Dr. Marshall Kirk McKusick

Chapter 2. Operating-System Structures

SysSec. Aurélien Francillon

Users Guide. Kerio Technologies

Running Classic Applications in a Confined Ecosystem. Larry Price

Namespaces and Capabilities Overview and Recent Developments

Linux Kernel Security Update LinuxCon Europe Berlin, 2016

CS197U: A Hands on Introduction to Unix

Application Virtualization and Desktop Security

Meet Crosswalk New HTML5 Runtime. Sakari Poussa Intel

Container Security. Daniel J Walsh Consulting Engineer Blog: danwalsh.livejournal.com

Container Security. Marc Skinner Principal Solutions Architect

File access-control per container with Landlock

2 SCANNING, PROBING, AND MAPPING VULNERABILITIES

Chapter 2: System Structures. Operating System Concepts 9 th Edition

KVM Forum Vancouver, Daniel P. Berrangé

Hacking and Hardening Kubernetes

seccomp-nurse Nicolas Bareil ekoparty 2010 EADS CSC Innovation Works France seccomp-nurse: sandboxing environment

Introduction to application framework

Maxoid: Transparently Confining Mobile Applications with Custom Views of State

General Access Control Model for DAC

Distribution Kernel Security Hardening with ftrace

4D WebSTAR V User Guide for Mac OS. Copyright (C) D SA / 4D, Inc. All rights reserved.

Chapter 2: Operating-System Structures

RBAC in Solaris 10. Darren J Moffat Staff Engineer, Networking & Security Sun Microsystems, Inc. 7 th October 2004

Advanced Systems Security: Securing Commercial Systems

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot

Secure sandboxing solution for GNU/Linux

STING: Finding Name Resolution Vulnerabilities in Programs

Midterm Exam CPS 210: Operating Systems Spring 2013

Cross platform enablement for the yocto project with containers. ELC 2017 Randy Witt Intel Open Source Technology Center

Chapter 2: Operating-System Structures. Operating System Concepts 9 th Edition

Stanford CS193p. Developing Applications for ios. Fall Stanford CS193p. Fall 2011

Red Hat Enterprise Linux MRG Red Hat Network Satellite Red Hat Enterprise Virtualization JBoss Cloud

Manual File System Check Mac Os X 10.8

Security and privacy in your embedded systems

Linux Essentials. Smith, Roderick W. Table of Contents ISBN-13: Introduction xvii. Chapter 1 Selecting an Operating System 1

Advanced Systems Security: Ordinary Operating Systems

FreeBSD Advanced Security Features

Chapter 2: Operating-System Structures. Operating System Concepts 9 th Edit9on

, Inc

Containers and isolation as implemented in the Linux kernel

Confinement (Running Untrusted Programs)

Using GConf as an Example of How to Create an Userspace Object Manager

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Privilege Separation

Jeremy Allison Samba Team

I run a Linux server, so we re secure

NetIQ Advanced Authentication Framework - Virtual Desktop Authentication (VDA) Profile Editor. Administrator's Guide. Version 5.1.

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Improving User Accounting and Isolation with Linux Kernel Features. Brian Bockelman Condor Week 2011

How to make your application into a Flatpak

EECS Software Tools. Lab 2 Tutorial: Introduction to UNIX/Linux. Tilemachos Pechlivanoglou

System Configuration as a Privilege

SELinux Basics. Clint Savage Fedora Ambassador. Fedora Classroom November 9, 2008

Chapter 2: Operating-System Structures

Xcalar Installation Guide

Capsicum: Practical capabilities for UNIX. Anna Kornfeld Simpson & Venkatesh Srinivas

Overview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions

The Functionality-based Application Confinement Model

Transcription:

Secure and Simple Sandboxing in SELinux James Morris jmorris@namei.org FOSS.my 2009 Kuala Lumpur, Malaysia

Overview Sandboxing SELinux Sandbox design and implementation Use examples Status and future directions

Sandboxing Many types of sandbox Basic concept is to isolate code Process arbitrary input Run third party code Contain vulnerabilities For this talk: process-level sandbox

Existing Sandboxes Chroot, seccomp, ptrace etc., all problematic New design: setuid sandbox (Evans/Tiennes) Don't utilize MAC facilities (SELinux, Smack) Typically based around restricting ambient privilege

Sandboxing with MAC Utilize MAC (mandatory access control) to enhance sandboxing Layered approach: Process-level isolation (MMU) DAC separation (e.g. privsep, UID allocator) Namespaces / chroot etc. MAC isolation policy

Reduce Ambient Authority Security can be simplified by reducing ambient auhority. Consider: wc file.txt wc needs general read permission for the system & uses this 'ambient' authority to open file. cat file.txt wc cat opens the file and passes open fd to wc, bundling the object and authority together. Specific authority is delegated and wc now needs no permissions to access filesystem!

Usability Combining MAC policy with fd passing is conceptually simple for users: the latter follows standard Unix use conventions. Does not require policy administration Simple supplied policy which strongly isolates sandboxed apps Zero config High level abstraction: Simply run apps via a sandbox launcher Kiosk mode, svirt etc. are similar approaches

SELinux Implementation New sandbox label added to policy Has no general permissions, only those absolutely required to execute (e.g. load shared libraries, which can be further locked down if desired) sandbox launcher causes app to be executed with this label; I/O happens via fd Unique MCS label assigned to each instance for MAC isolation (cf. UID allocation both could be used) Sets up home & tmp dirs; copies in specified files; cleans up at exit

/usr/bin/sandbox Creates temporary sandbox directory Copies in specified files Sets up security labeling Executes specified application in sandbox Cleanup at exit

Basic Use $ /usr/bin/id -Z unconfined_t:c0.c1023 $ sandbox /usr/bin/id -Z sandbox_t:c533,c903 sandbox_t -- broad MAC policy for all sandboxes, isolate them from wider system c533,c903 -- unique MCS label to separate sandboxes from each other (actual value does not matter, just needs to be unique)

Demonstration $ touch /tmp/foo1 $ sandbox touch /tmp/foo2 /bin/touch: cannot touch `/tmp/foo2': Permission denied

Demonstration $ sandbox cat /proc/$$/maps /bin/cat: /proc/3034/maps: Permission denied

Advanced Uses Processing pipelines: Scanning mail for viruses, spam etc.; run each stage in a sandbox Packet dissectors, etc. Web application framework e.g. XSLT rendering, CGI handling Any case where a separate process can be launched and use fd for I/O

Desktop Security Difficult to sandbox desktop apps because of environment (X, GNOME, DBus etc.) complicated Sandbox X: Launch sandboxed applications in nested X server: simple and effective! Extends basic sandbox utility:

/usr/sbin/seunshare setuid program: unshare(2) dissasociates mount namespace bind mounts new $HOME and /tmp dirs calls setexeccon to set security label drops all capabilities calls sandboxx.sh

/usr/share/sandbox/sandboxx.sh Configures X environment Launches Xephyr nested X server runs matchbox window manager runs specified application everything runs with sandbox security label cleans up at exit Some limitations (currently): Cannot resize window No copy/paste

Current status SELinux Sandbox will be in Fedora 12 Currently available in rawhide

Demo

Future Directions Continued high-level integration, e.g. make it easy to run sandboxed web browsers Interaction issues to resolve, e.g. ask user to save changed data when exiting sandbox? Integration with XACE window labeling, hardware security etc. Use sandboxing to restrict administrative privilege

What we really need most... A standardized high-level API Developers / ISVs currently roll their own security or just give up Difficult, but can be done

Resources Dan Walsh's blog danwalsh.livejournal.com Dan Walsh's LPC talk http://video.linuxfoundation.org/video/1565 Dan Walsh's email address & cell phone dwalsh@redhat.com +1 212-555-4240

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback