Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Sandboxing with systemd

Published byOswin Martin Modified over 7 years ago

Similar presentations

Presentation on theme: "Application Sandboxing with systemd"— Presentation transcript:

1 Application Sandboxing with systemd
Containers and wayland and kdbus, oh my!

2 kdbus Domain - fs mount Bus - named object inside a domain used to exchange messgaes Endpoint - access point onto bus - every bus gets a default endpoint Skip - Connection, pool, well-known-name, message, item, Policy - Set of rules define which connections can see, talk or own a well known name, attached to endpoint. Endpoitn policy set on creation, but can be updated. Privalaged - CAP_IPC_OWNER lifetimes domain - mount lifetime bus - control fd used for KDBUS_CMD_BUS_MAKE endpoint - fd used for KDBUS_CMD_ENDPOINT_MAKE

3 Endpoint policy Authorisation
Anyone can make a bus - the only person you can harm is yourself! Only the bus owner or a privalaged user can create an endpoint. connecting to an endpoint is whether you have file system access? For example, a set of policy rules may look like this

4 Endpoint policy KDBUS_ITEM_NAME: str='org.foo.bar'
KDBUS_ITEM_POLICY_ACCESS: type=USER, access=OWN, id=1000 KDBUS_ITEM_POLICY_ACCESS: type=USER, access=TALK, id=1001 KDBUS_ITEM_POLICY_ACCESS: type=WORLD, access=SEE KDBUS_ITEM_NAME: str='org.blah.baz' KDBUS_ITEM_POLICY_ACCESS: type=USER, access=OWN, id=0 KDBUS_ITEM_POLICY_ACCESS: type=WORLD, access=TALK

5 systemd remember that bus lifetime is ties to the fd you used to create the bus? So the root systemd is the owner of teh sstem bys, when you do a user login you get a user systemd that creates and owns the user bus. Custom endpoints Currently the only way to make an endpoint is to use a unit to launch a system service, and you can create a custom endpoint for that service to use and attach a policy

6 BusPolicy BusPolicy=org.freedesktop.systemd1 talk
BusPolicy=org.foo.bar see BusPolicy=org.foo.baz own

7 The tricky bit I've put together a patchset for systemd-nspawn, but Alex Larsson has gnome-sdk-helper in gnome-sdk, which is a real minimal container, just limits namespaces and does some nosetuid,nodev bind mounts and some fiddly bits for home directory, pulseaudio, XDG, dbus and X11 Maybe it should be a systemd template service? Lennart wants eventually to have it be like the new apparoch for Desktop file handling - using bus activation? Needs more discussion, but I'll probably just submit the patchset for nspawn anyhow (once its rebased and cleanedup) and see where the discussion goes

8 Wayland Currently wayland-drm pretty much requires that clients can open /dev/dri/card0. This is bad for a number of reasons 1) Security issues with card0 interface - flink in insecure - buffer names leak information and can allow clients to access each other buffers (as i understand it!) 2) we need to bindmount /dev/dri into the container - ideally we only want it to have access to dummy devices 3) mixes up display controller (mode setting) and renderers(gl), e.g. Tegra, multi card systems Render nodes - /dev/dri/renderD<num> these are the cool, dma-buf no flink, seperates display controller from rendering - no modestting, no DRI-auth, no legacy pre-KMS - ask David Herrmann... Daniel Stone has suggested we extend the wayland-drm protocol to allow the compositor to open the fd to a render node and pass this fd to the client. this would be perfect

9 Pulseaudio? Sound -----
So much to do, the ideal way forward here is for pulseaudio to use kdbus for everything. Stream over kdbus? No reason why not Policy is tricky – record from microphone? How to do the interation well and how to support doing the interaction well Limit backgound apps Lot to do yet!

10 Questions?

11 Links http://www.freedesktop.org/wiki/Software/systemd/
GimpNet - #gnome-os Freenode - #systemd, #kdbus

12 Copyright Bright Eyes ©originalpozer @flickr
Uh oh ©Daniel German police dog ©Brian Oh Ceiling Cat - I worship thee ©Katrine Sad dog eyes – Patches Momma's Little Hipster DJ Norman ©Ana Belén Topanga, hat model

Download ppt "Application Sandboxing with systemd"

Similar presentations

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Microsoft ® Office Outlook ® 2007 Training Manage your mailbox II: Understand your choices for storing Doña Ana Community College presents:

Microsoft ® Office Outlook ® 2007 Training Manage your mailbox II: Understand your choices for storing Doña Ana Community College presents:
The Linux Operating System Lecture 7: Email Tonga Institute of Higher Education.

The Linux Operating System Lecture 7: Tonga Institute of Higher Education.
EventsMastery – HOW TO MANAGE CORPORATE EVENTS SUCCESSFUL (HTMCES) eMentorship Portal (eMP) “HOW TO USE PORTAL GUIDE” Managed by.

EventsMastery – HOW TO MANAGE CORPORATE EVENTS SUCCESSFUL (HTMCES) eMentorship Portal (eMP) “HOW TO USE PORTAL GUIDE” Managed by.
File Upload Competitive Analysis. Catalyst - Browse in-line Of interest:

File Upload Competitive Analysis. Catalyst - Browse in-line Of interest:
Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite www.SecureMobileEmail.com www.AGATSolutions.com.

Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite
10.1 Silberschatz, Galvin and Gagne ©2005 Operating System Principles 10.4 File System Mounting A file system must be mounted before it can be accessed.

10.1 Silberschatz, Galvin and Gagne ©2005 Operating System Principles 10.4 File System Mounting A file system must be mounted before it can be accessed.
Downloading and Installing Autodesk Revit 2016

Downloading and Installing Autodesk Revit 2016
Downloading and Installing Autodesk Inventor Professional 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the.

Downloading and Installing Autodesk Inventor Professional 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the.
Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.

Linux Security. Authors:- Advanced Linux Programming by Mark Mitchell, Jeffrey Oldham, and Alex Samuel, of CodeSourcery LLC published by New Riders Publishing.
Networks, Topology, & Architecture Mrs. Wilson Dreamweaver for College & Business.

Networks, Topology, & Architecture Mrs. Wilson Dreamweaver for College & Business.
1 12-Jan-16 OSI network layer CCNA Exploration Semester 1 Chapter 5.

1 12-Jan-16 OSI network layer CCNA Exploration Semester 1 Chapter 5.
Data Communications is the Real World OSI Layers 1 & 2 a.k.a TCP/IP Network Interface Layer.

Data Communications is the Real World OSI Layers 1 & 2 a.k.a TCP/IP Network Interface Layer.
Working with the interface and interacting with the iPad app.

Working with the interface and interacting with the iPad app.
Internet Flow By: Terry Hernandez. Getting from the customers computer onto the internet Internet Browser www.Google.com.

Internet Flow By: Terry Hernandez. Getting from the customers computer onto the internet Internet Browser
1 28-Sep-16 S Ward Abingdon and Witney College CCNA Exploration Semester 1 OSI network layer CCNA Exploration Semester 1 Chapter 5.

1 28-Sep-16 S Ward Abingdon and Witney College CCNA Exploration Semester 1 OSI network layer CCNA Exploration Semester 1 Chapter 5.
Emdeon Office Batch Management Services This document provides detailed information on Batch Import Services and other Batch features.

Emdeon Office Batch Management Services This document provides detailed information on Batch Import Services and other Batch features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI network layer CCNA Exploration Semester 1 – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI network layer CCNA Exploration Semester 1 – Chapter 5.

Similar presentations

Ads by Google