Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758126AbaAJTwq (ORCPT ); Fri, 10 Jan 2014 14:52:46 -0500 Received: from forward1m.mail.yandex.net ([37.140.138.1]:55394 "EHLO forward1m.mail.yandex.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752235AbaAJTwo (ORCPT ); Fri, 10 Jan 2014 14:52:44 -0500 From: Victor Porton Envelope-From: porton@yandex.ru To: Joshua Brindle Cc: "selinux@tycho.nsa.gov" , "linux-kernel@vger.kernel.org" In-Reply-To: <52D04C59.20406@quarksecurity.com> References: <1171389381947@web15m.yandex.ru> <52D04C59.20406@quarksecurity.com> Subject: Re: Create new NetFilter table MIME-Version: 1.0 Message-Id: <25561389383560@web15m.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Fri, 10 Jan 2014 21:52:40 +0200 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=koi8-r Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 10.01.2014, 21:39, "Joshua Brindle" : > Victor Porton wrote: > >> ?I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command). >> >> ?Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)? >> >> ?New table could be possibly be called: >> >> ?- temp >> ?- temporary >> ?- auto >> ?- automatic >> ?- volatile >> ?- daemon >> ?- system >> ?- sys >> >> ?In iptables docs it should be said that this table should not be manipulated manually. > > Is it possible that the solution to your sandboxing problem is seccomp > filter? > > http://outflux.net/teach-seccomp/ > > You'd filter out any syscall that can make outbound connections and then > only pass already opened sockets to the sandboxed threads? > > seccomp filter was actually created for sandboxing, so that user > applications could voluntarily shed the ability to call certain syscalls > before handling untrusted data. seccomp would not work for me, because I need network enabled sandboxes. Moreover we should be able to filter out certain subnets such as 127.0.0.0/255.0.0.0 (and others), This cleanly can't be done with seccomp. -- Victor Porton - http://portonvictor.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/