[Exherbo-dev] Proper network sandboxing

Ali Polatel polatel at gmail.com
Tue Aug 25 19:57:03 BST 2009


In an attempt to implement proper network sandboxing for sydbox, I've
added sydbox the ability to deny only non-local connections. This is
very basic right now, we check the sockaddr argument of connect(2) and
bind(2) calls and use the net_localhost()¹ function to find out if it's
local. This function needs some work, currently it only allows 127.0.0.1
and ::1 through. As always patches are welcome.

Here's how it works:
3813 alip at harikalardiyari> grep -B1 network ../data/sydbox.conf

# whether sydbox should allow network connections
# One of allow, deny, local
network = local
3814 alip at harikalardiyari> sydbox -c ../data/sydbox.conf -- wget www.google.com
--2009-08-25 21:51:26--  http://www.google.com/
Resolving www.google.com... sydbox at 1251226286: Access Violation!
sydbox at 1251226286: Child Process ID: 28986
sydbox at 1251226286: Reason: connect{family=AF_INET, addr=192.168.0.1}
sydbox at 1251226286: Access Violation!
sydbox at 1251226286: Child Process ID: 28986
sydbox at 1251226286: Reason: connect{family=AF_INET, addr=192.168.0.1}
sydbox at 1251226286: Access Violation!
sydbox at 1251226286: Child Process ID: 28986
sydbox at 1251226286: Reason: connect{family=AF_INET, addr=192.168.0.1}
sydbox at 1251226286: Access Violation!
sydbox at 1251226286: Child Process ID: 28986
sydbox at 1251226286: Reason: connect{family=AF_INET, addr=192.168.0.1}
failed: Temporary failure in name resolution.
wget: unable to resolve host address `www.google.com'
** (sydbox:28962 at 1251226286) Message: eldest child 28986 exited with return code 1
3815 1 alip at harikalardiyari> sydbox -c ../data/sydbox.conf -- wget http://127.0.0.1
--2009-08-25 21:51:43--  http://127.0.0.1/
Connecting to 127.0.0.1:80... failed: Connection refused.
** (sydbox:29161 at 1251226303) Message: eldest child 29185 exited with return code 1
3816 1 alip at harikalardiyari>

As always I've also added magic commands to control the behaviour.
Here's how the paludis interface will look like:

diff --git a/paludis/repositories/e/ebuild/ebuild.bash b/paludis/repositories/e/ebuild/ebuild.bash
index b552a79..d12ca1b 100755
--- a/paludis/repositories/e/ebuild/ebuild.bash
+++ b/paludis/repositories/e/ebuild/ebuild.bash
@@ -577,10 +577,26 @@ ebuild_main()
         for action in $@ ; do
             export ${PALUDIS_EBUILD_PHASE_VAR}="${action}"
             perform_hook ebuild_${action}_pre
+            # Restrict network access to local if running under sydbox
+            if [[ $action != unpack ]]; then
+                if sydboxcheck 2>/dev/null; then
+                    sydboxcmd net/local || ebuild_notice "warning" "sydboxcmd net/local returned failure"
+                fi
+            fi
             if ! ${PALUDIS_F_FUNCTION_PREFIX:-ebuild_f}_${action} ; then
+                if [[ $action != unpack ]]; then
+                    if sydboxcheck 2>/dev/null; then
+                        sydboxcmd net/allow || ebuild_notice "warning" "sydboxcmd net/allow returned failure"
+                    fi
+                fi
                 perform_hook ebuild_${action}_fail
                 die "${action} failed"
             fi
+            if [[ $action != unpack ]]; then
+                if sydboxcheck 2>/dev/null; then
+                    sydboxcmd net/allow || ebuild_notice "warning" "sydboxcmd net/allow returned failure"
+                fi
+            fi
             perform_hook ebuild_${action}_post
         done
     fi

Questions:
1. Do we want to check for system calls other than connect(2) and
   bind(2)?
2. Do we need some kind of network whitelisting? Like whitelisting
   certain IP addresses. I'm not really sure if this is useful.
3. Currently we only support ipv4 and ipv6 sockets. Do we need support
   for other types of sockets, if so why?

So far so good, thanks for reading.

¹: http://github.com/alip/sydbox/blob/master/src/net.c

-- 
Regards,
Ali Polatel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.exherbo.org/pipermail/exherbo-dev/attachments/20090825/65de8c33/attachment.pgp>


More information about the Exherbo-dev mailing list