Presentation is loading. Please wait.

Presentation is loading. Please wait.

SELinux Sandbox Daniel Walsh Red Hat. What is a sandbox ➔ Run general applications in a locked down environment. ➔ Less privileged then other processes.

Published byMegan Turner Modified over 8 years ago

Similar presentations

Presentation on theme: "SELinux Sandbox Daniel Walsh Red Hat. What is a sandbox ➔ Run general applications in a locked down environment. ➔ Less privileged then other processes."— Presentation transcript:

1 SELinux Sandbox Daniel Walsh Red Hat

2 What is a sandbox ➔ Run general applications in a locked down environment. ➔ Less privileged then other processes run by the user. ➔ Block Networking ➔ Block Access to other Processes ➔ Block Access to files, homedir? ➔ Block Access to resources like X, dbus ➔ Run untrusted applications or filters on untrusted data.

3 Vulnerabilities ➔ Allow filtering tools to read untrusted content. ➔ Vulnerability in a filtering tools can allow content to cause the application to do bad things. ➔ tcpdump vulnerability CVE-2007-3798 ➔ 'A flaw was discovered in the BGP dissector of tcpdump. Remote attackers could send specially crafted packets and execute arbitrary code with user privileges. “ ➔ Web Browser Vulnerabilities

4 Examples of sandboxes ➔ chroot ➔ sftp ➔ bind-chroot ➔ /usr/lib64/chromium-browser/chrome- sandbox ➔ OLPC/bitfrost – Namepacing, UID separation ➔ Java sandbox ➔ SELinux xguest – Confined users

5 SELinux ➔ Standard SELinux is difficult to use on random applications. ➔ Transitions process to locked down environment. ➔ Policy needs to be written. ➔ Somewhat hard coded. ➔ Does not lend it self easily to scripting. ➔ If you run two processes with the same type, they can attack each other.

6 Standard SELinux Sandbox ➔ Execution any app within SELinux Confinement ➔ Blocks “Open” call ➔ Allows read/write on inherited file descriptors. ➔ Temporary storage allowed # sesearch --allow -s sandbox_t -p open -c file | grep write allow sandbox_t sandbox_t : file { ioctl read write getattr lock append open } ; allow sandbox_t sandbox_file_t : file { ioctl read write create getattr setattr lock append unlink link rename execute execute_no_trans open } ; ➔ cat untrusted.txt | sandbox filter > trusted.txt

7 Standard SELinux Sandbox ➔ Uses MCS Labels for separation ➔ Based on same technology as svirt/libvirt ➔ Apps have same types/access but can not interact. ➔ Excellent for scripting ➔ Pipe apps read stdin/write stdout ➔ Confinement of grid jobs ➔ Wrap grid jobs in sandbox wrapper

8 Confinement of Grid Jobs ➔ Allow administrator to Wrap grid jobs in sandbox wrapper. ➔ grid job can run on machines ➔ Can not attack machine ➔ Can not launch attacks on other machines. import os, sys SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']] SANDBOX_ARGS.extend(sys.argv[1::]) os.execv('/usr/bin/sandbox',SANDBOX_ARGS)

9 What about the desktop? ➔ How do I confine acroread? ➔ Large communications paths ➔ X Server ➔ File System ➔ Home Directory ➔ /tmp ➔ gconf ➔ Dbus

10 /usr/bin/sandbox ➔ Setup File System ➔ Creates new directories in $HOME and /tmp ➔ Select random MCS label (MCS1) ➔ Label directories sandbox_file_t:MCS1 ➔ Copy executable/input files to homedir & /tmp. ➔ Create.sandboxrc in homedir with command ➔ Execute new utility seunshare ➔ seunshare [ -t tmpdir ] [ -h homedir ] -- CONTEXT sandboxX.sh [args] ➔ Delete temporary $HOME & /tmp

11 /usr/sbin/seunshare ➔ C Setuid Program ➔ unshare ➔ Disassociate the mount namespace ➔ mount ➔ bind mount new $HOME and /tmp ➔ setexeccon ➔ Set the Selinux context to run the command ➔ Drop all capabilities ➔ exec /usr/share/sandbox/sandboxX.sh

12 Sandbox X Components ➔ Xephyr ➔ Xace does not work ➔ Xace good for MLS but not for Type Enforcement ➔ X Applications expect full access to X server and die when denied any access ➔ Every sandbox app gets its own X Server ➔ Window Manager ➔ Need window manager to run app with full screen ➔ Matchbox-window-manager ➔ Optional flag -W metacity ➔ sandbox -X -t sandbox_web_t -W metacity firefox

13 Application ➔ Gnome/GTK apps create content on the fly ➔ Firefox creates a new.mozilla dir etc.

14 SELinux Policy ➔ sandbox_xserver_t ➔ Default type sandbox_x ➔ sandbox_x_t ➔ Only Print Networking, No Setuid, very little privileges ➔ sandbox_x_file_t ➔ sandbox_web - Connect to apache ports ➔ sandbox_net - Connect to all ports ➔ sandbox_x_domain_template(sandbox_apache)

15 sandbox -X ➔ Problems ➔ Window can not resize ➔ Xephyr on Fedora does not support resize, Patched fix in RHEL6 ➔ Rootless X Server ➔ No Cut and Paste ➔ User confusion ➔ You don't want to write a document while in a sandbox

16 sandbox -X ➔ Future ➔ MLS? ➔ Save sandbox dir?

Download ppt "SELinux Sandbox Daniel Walsh Red Hat. What is a sandbox ➔ Run general applications in a locked down environment. ➔ Less privileged then other processes."

Similar presentations

Introduction to Computers Section 6A. home The Operating System (OS) The operating system (OS) is software that controls the interaction between hardware.

Introduction to Computers Section 6A. home The Operating System (OS) The operating system (OS) is software that controls the interaction between hardware.
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Linux, it's not Windows A short introduction to the sub-department's computer systems Gareth Thomas.

Linux, it's not Windows A short introduction to the sub-department's computer systems Gareth Thomas.
CWE-732 Incorrect Permission Assignment for Critical Resource

CWE-732 Incorrect Permission Assignment for Critical Resource
GNU/Linux Filesystem 1 st AUT GNU/Linux Festival Computer Engineering & IT Department Bahador Bakhshi.

GNU/Linux Filesystem 1 st AUT GNU/Linux Festival Computer Engineering & IT Department Bahador Bakhshi.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Controlling Files Richard Newman based on Smith “Elementary Information Security”

Controlling Files Richard Newman based on Smith “Elementary Information Security”
Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.

Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.
Unix Basics Chapter 4.

Unix Basics Chapter 4.
CHAPTER FOUR COMPUTER SOFTWARE.

CHAPTER FOUR COMPUTER SOFTWARE.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Client – Server Application Can you create a client server application: The server will be running as a service: does not have a GUI The server will run.

Client – Server Application Can you create a client server application: The server will be running as a service: does not have a GUI The server will run.
Module 6 – Redirections, Pipes and Power Tools.. STDin 0 STDout 1 STDerr 2 Redirections.

Module 6 – Redirections, Pipes and Power Tools.. STDin 0 STDout 1 STDerr 2 Redirections.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
CHAPTER Creating and Managing Users and Groups. Chapter Objectives Explain the use of Local Users and Groups Tool in the Systems Tools Option to create.

CHAPTER Creating and Managing Users and Groups. Chapter Objectives Explain the use of Local Users and Groups Tool in the Systems Tools Option to create.

Similar presentations

Ads by Google