Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751840AbZLMIiW (ORCPT ); Sun, 13 Dec 2009 03:38:22 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751793AbZLMIiV (ORCPT ); Sun, 13 Dec 2009 03:38:21 -0500 Received: from yop.chewa.net ([91.121.105.214]:38928 "HELO yop.chewa.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1751777AbZLMIiU convert rfc822-to-8bit (ORCPT ); Sun, 13 Dec 2009 03:38:20 -0500 X-Greylist: delayed 352 seconds by postgrey-1.27 at vger.kernel.org; Sun, 13 Dec 2009 03:38:19 EST From: "=?iso-8859-1?q?R=E9mi?= Denis-Courmont" Organization: Remlab.net To: Michael Stone Subject: Re: Network isolation with RLIMIT_NETWORK, cont'd. Date: Sun, 13 Dec 2009 10:32:20 +0200 User-Agent: KMail/1.12.4 (Linux/2.6.32; KDE/4.3.4; i686; ; ) Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , Bryan Donlan , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , "Eric W. Biederman" , Bernie Innocenti , Mark Seaborn References: <20091213034418.GA4416@heat> In-Reply-To: <20091213034418.GA4416@heat> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 8BIT Message-Id: <200912131032.24251.remi@remlab.net> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1403 Lines: 32 Hello, Le dimanche 13 d?cembre 2009 05:44:18 Michael Stone, vous avez ?crit : > You were all meant to be included on the CC-list for the letter and patches > which I just sent to lkml: > > http://lkml.org/lkml/2009/12/12/149 You explicitly mention the need to connect to the X server over local sockets. But won't that allow the sandboxed application to send synthetic events to any other X11 applications? Hence unless the whole X server has restricted network access, this seems a bit broken? D-Bus, which also uses local sockets, will exhibit similar issues, as will any unrestricted IPC mechanism in fact. I am not sure if restricting network access but not other file descriptors makes that much sense... ? Then again, I'm not entirely clear what you are trying to solve. If I had to sandbox something, I'd drop the process file limit to 0. That will effectively cut off network, file system, and POSIX IPCs. Unfortunately, the process can still use SysV IPC, ptrace(), and send signals to others. So those are the gaps I would first try to contain. -- R?mi Denis-Courmont http://www.remlab.net/ http://fi.linkedin.com/in/remidenis -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/