On Tue, Sep 5, 2017 at 2:32 PM, Denis Solonkov <solonko...@google.com> wrote:
> Hi Simon,
>
>
> As part of my Google summer internship project I have implemented a sandbox
> for dnsmasq, based on Linux seccomp-bpf and mount namespace, with tests and
> documentation.
>
> Such sandbox provides defense in depth to dnsmasq, by restricting what files
> it can access and which syscalls it can make, in case remote code execution
> vulnerabilities are discovered in dnsmasq.
>
> Would you be interested in reviewing my patches and maybe integrate them in
> dnsmasq?
>
> Please find attached my patch against master head, but let me know if there
> is another way for us to review and discuss the change.
>
>

The project is interesting. May I suggest looking into privilege
separation such as what OpenBSD has been doing before applying the
sandbox  ?

http://quigon.bsws.de/papers/aalborg2009/mgp00043.html

Also, maybe look at unbound, which has a privilege separation design as well.

Have a look at OpenBSD's imsg framework which is light and easy to port:

http://man.openbsd.org/imsg_init

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to