In an attempt to implement proper network sandboxing for sydbox, I've added sydbox the ability to deny only non-local connections. This is very basic right now, we check the sockaddr argument of connect(2) and bind(2) calls and use the net_localhost()¹ function to find out if it's local. This function needs some work, currently it only allows 127.0.0.1 and ::1 through. As always patches are welcome.
Here's how it works: 3813 a...@harikalardiyari> grep -B1 network ../data/sydbox.conf # whether sydbox should allow network connections # One of allow, deny, local network = local 3814 a...@harikalardiyari> sydbox -c ../data/sydbox.conf -- wget www.google.com --2009-08-25 21:51:26-- http://www.google.com/ Resolving www.google.com... syd...@1251226286: Access Violation! syd...@1251226286: Child Process ID: 28986 syd...@1251226286: Reason: connect{family=AF_INET, addr=192.168.0.1} syd...@1251226286: Access Violation! syd...@1251226286: Child Process ID: 28986 syd...@1251226286: Reason: connect{family=AF_INET, addr=192.168.0.1} syd...@1251226286: Access Violation! syd...@1251226286: Child Process ID: 28986 syd...@1251226286: Reason: connect{family=AF_INET, addr=192.168.0.1} syd...@1251226286: Access Violation! syd...@1251226286: Child Process ID: 28986 syd...@1251226286: Reason: connect{family=AF_INET, addr=192.168.0.1} failed: Temporary failure in name resolution. wget: unable to resolve host address `www.google.com' ** (sydbox:28...@1251226286) Message: eldest child 28986 exited with return code 1 3815 1 a...@harikalardiyari> sydbox -c ../data/sydbox.conf -- wget http://127.0.0.1 --2009-08-25 21:51:43-- http://127.0.0.1/ Connecting to 127.0.0.1:80... failed: Connection refused. ** (sydbox:29...@1251226303) Message: eldest child 29185 exited with return code 1 3816 1 a...@harikalardiyari> As always I've also added magic commands to control the behaviour. Here's how the paludis interface will look like: diff --git a/paludis/repositories/e/ebuild/ebuild.bash b/paludis/repositories/e/ebuild/ebuild.bash index b552a79..d12ca1b 100755 --- a/paludis/repositories/e/ebuild/ebuild.bash +++ b/paludis/repositories/e/ebuild/ebuild.bash @@ -577,10 +577,26 @@ ebuild_main() for action in $@ ; do export ${PALUDIS_EBUILD_PHASE_VAR}="${action}" perform_hook ebuild_${action}_pre + # Restrict network access to local if running under sydbox + if [[ $action != unpack ]]; then + if sydboxcheck 2>/dev/null; then + sydboxcmd net/local || ebuild_notice "warning" "sydboxcmd net/local returned failure" + fi + fi if ! ${PALUDIS_F_FUNCTION_PREFIX:-ebuild_f}_${action} ; then + if [[ $action != unpack ]]; then + if sydboxcheck 2>/dev/null; then + sydboxcmd net/allow || ebuild_notice "warning" "sydboxcmd net/allow returned failure" + fi + fi perform_hook ebuild_${action}_fail die "${action} failed" fi + if [[ $action != unpack ]]; then + if sydboxcheck 2>/dev/null; then + sydboxcmd net/allow || ebuild_notice "warning" "sydboxcmd net/allow returned failure" + fi + fi perform_hook ebuild_${action}_post done fi Questions: 1. Do we want to check for system calls other than connect(2) and bind(2)? 2. Do we need some kind of network whitelisting? Like whitelisting certain IP addresses. I'm not really sure if this is useful. 3. Currently we only support ipv4 and ipv6 sockets. Do we need support for other types of sockets, if so why? So far so good, thanks for reading. ¹: http://github.com/alip/sydbox/blob/master/src/net.c -- Regards, Ali Polatel
pgpUeFuokmKkd.pgp
Description: PGP signature
_______________________________________________ Exherbo-dev mailing list [email protected] http://lists.exherbo.org/mailman/listinfo/exherbo-dev
