Secure and Simple Sandboxing in SELinux
|Time:||15:45 - 16:30|
|Day:||Friday 22 January 2010|
|Location:||Renouf 2 (MFC)|
This talk will introduce the SELinux Sandbox, a high-level mechanism for tightly confining arbitrary applications and isolating them from the rest of the system.
Sandboxing may be useful in several cases, including:
- Running untrusted code, as may be found in externally supplied packages or libraries;
- Processing sensitive information, such as credit card data;
- Processing data of arbitrary origin which may have been crafted to exploit software vulnerabilities, such as in image rendering code; and
- Ensuring that information entering or leaving a system is processed in a specific way, such as mail being filtered for malware and spam.
In all of these cases, there is a conceptually simple requirement to implement the principle of least privilege, where the application is only able to access the resources it needs. This may limit the damage which an otherwise successful exploit may perform.
A new sandbox security module has been implemented for SELinux. It allows users to very simply launch applications within a tightly confined sandbox which is only able to communicate via a file descriptor shared with the parent process (and access a few essential system resources required to actually run at all). For example, the sandboxed application cannot open any file on the system, or use any networking.
The user does not need to know or write any SELinux policy; it just works.
This talk will provide a technical overview of the scheme, demonstrate its use, and discuss how the concept can be extended to address more complex scenarios such as web browsers and the desktop environment in general.
James Morris is a Linux kernel developer from Sydney, Australia. He is the Linux kernel security maintainer; author of the kernel Crypto API; and a contributor to the SELinux, LSM, Netfilter and IPsec projects.