tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: firefox sandboxing




> On May 14, 2018, at 6:38 AM, Thomas Klausner <tk%giga.or.at@localhost> wrote:
> 
> We already support chroot(2). Are user namespaces
> (http://man7.org/linux/man-pages/man7/user_namespaces.7.html - looks
> like capabilities) something that would be good to have for NetBSD?


IMO, chroot(2) is a pretty poor way to do sandboxing.  For everything that you want to sandbox with chroot(2), you essentially have to duplicate-and-strip the standard run-time environment for that application / daemon / whatever.

I may be biased, but I think a nicer way to do this stuff is along the lines of what macOS does … wrapping an expressive language around Mandatory Access Controls (called a sandbox profile), which provides restrictions on file system access, network access, other-pid access, etc.  There is an inheritance model for these profiles (for any spawned / forked children), and a way for an unrestricted process to adopt a profile at run-time to restrict itself.

For other things that aren’t typically granted by default, there is another thing called an “entitlement” that’s part of the program’s code signature that grants special privileges that wouldn’t be granted to even root under usual circumstances.

The two things are distinct, but using them together can be extremely powerful to provide tightly controlled specific-privilege escalation when necessary.

-- thorpej



Home | Main Index | Thread Index | Old Index