On Tue, Mar 09, 2004 at 07:12:35PM -0500, Bill Cheswick wrote:
One of the things I'd like to see in Linux and Windows is better sandboxing
of user-level programs, like Outlook and the browsers. There have
been a number of approaches proposed over the years, and numerous papers, but
haven't seen anything useful deployed widely on any of these platforms.
I agree with the sandboxing idea. We're seeing it used more on the server side, but the desktop arena isn't as far along.
Seems to me that the average user application doesn't need to open
TCP/UDP ports for listening. Attack bots tend to do this kind of thing.
Perhaps SELinux could be used to define a rule set that would restrict
desktop application's access to resources such as the filesystem,
network, etc.
Note that I don't know what the scope of SELinux is, or how it works.
This is exactly what Immunix SubDomain does: define the files and network activities that each program may access. We use use regular expressions to specify policy, so for instance, fingerd could be permitted to read /home/*/.plan and not read anything else.
Below my sig (apparently an attachment with a name infix of ".lib" causes a lot of AV filters to freak out) is a sample SubDomain profile for Mozilla 1.4. It gives read and execute access to a long list of library and configuration files that Mozilla needs, and then home directory access to things like "/home/*/tmp/**" so that you can store whatever you want into your personal temp directory, but Mozilla gone mad does not have total write access to your entire home directory. The "*" notation means "a single path element" while "**" means an arbitrary number of path elements, i.e. a tree.
Most OSS Software also doesn't "phone home" (unlike software in the Windows world). Only pre-installed apps should be allowed network communication under normal circumstances. So if your desktop noticed that an unknown app (one run from the user's home directory or from /tmp) tries to communicate with a remote site, it would deny the action by default -- or at least slow the application communication down so that worms would spread more slowly, and could be contained.
SubDomain also has the ability to control network access, so you can specify rules about what network connections an application should be making. However, that is a bit challenging in a web browser: you want the web browser to be able to make TCP connections to port 80 on just about any server, so how can you prevent it from "phoning home" by just quietly making some web connections? Even DNS requests are sufficient for an effective "phone home", such as a DNS lookup for "users-personal-information.eveilbigcorp.com" would report "users-personal-information" to Evil Big Corp's DNS server.
Crispin
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com Immunix 7.3 http://www.immunix.com/shop/
-----
# Copyright(c) Immunix Inc., 2004
# $Id: usr.lib.mozilla-1.4.mozilla-bin,v 1.10 2003/12/11 21:03:33 sarnold Exp $
#
/usr/lib/mozilla-1.4/mozilla-bin {
/bin/netstat rx ,
/bin/bash rx ,
/dev/log w ,
/dev/null rw ,
/dev/mixer* rw ,
/dev/dsp rw ,
/dev/urandom rw ,
/dev/random rw ,
/dev/pts/* rw ,
/dev/tty rw ,
/etc/esd.conf r ,
/etc/fstab r ,
/etc/gtk/* r,
/etc/hosts r ,
/etc/host.conf r ,
/etc/ld.so.cache r ,
/etc/ld.so.conf r ,
/etc/localtime r ,
/etc/mailcap r ,
/etc/mime.types r ,
/etc/mtab r ,
/etc/resolv.conf r ,
/etc/passwd r ,
/etc/pluggerrc r,
/etc/nsswitch.conf r ,
/etc/X11/fs/config r ,
/home/*/.mozilla/** rwl,
/home/*/.Xauthority r,
/home/*/.Xdefaults r,
/home/*/.gtkrc r,
/home/*/.mailcap r,
/home/*/.mime.types r,
/home/*/tmp r,
/home/*/tmp/** rwl,
/lib/ld-*.so rx,
/lib/lib*.so* r,
/proc/net r ,
/proc/net/appletalk r ,
/proc/net/dev r ,
/proc/net/ipx r ,
/proc/net/unix r ,
/proc/meminfo r ,
/proc/sys/kernel/version r ,
/usr/X11R6/bin/gv rx ,
/usr/bin/plugger rx ,
/usr/bin/xpdf rx ,
/usr/lib/gconv/gconv-modules* r,
/usr/lib/gconv/*.so r,
/usr/lib/gtk/themes/** r,
/usr/lib/flash-plugin/* r,
/usr/lib/lib*.so* r,
/usr/lib/locale/** r,
/usr/lib/mozilla-1.[1-9]/** r,
/usr/lib/mozilla/** r,
/usr/lib/netscape/** r,
# let mozilla read package documentation
/usr/share/doc/** r,
/usr/share/locale/** r,
/usr/share/themes/** r,
/usr/share/zoneinfo/** r,
/usr/share/fonts/** r,
/usr/X11R6/bin/xmessage rx,
/usr/X11R6/lib/lib*.so* r,
/usr/X11R6/lib/X11/locale/** r,
/usr/X11R6/lib/X11/fonts/** r,
/var/run/.nscd_socket rw ,
/var/tmp r ,
/var/tmp/* rwl ,
/tmp r ,
/tmp/.esd/socket rw ,
/tmp/.X11-unix/* rw,
/tmp/* rwl ,
}
