Submitted by Eric Paris, a SELinux developer, has announced today a new SELinux feature: “Dan and I (mostly Dan) have started to play with using SELinux to confine random untrusted binaries. The program is called ‘sandbox.’ The idea is to allow administrators to lock down tightly untrusted applications in a sandbox where they can not use the network and open/create any file that is not handed to the process. Can be used to protect a system while allowing it to run some untrusted binary.”
This reminds me of something I read about the OLPC project. Don’t they do something similar?
I wonder if this could also be used to create a sandboxed AppDir environment. (Just thinking aloud really — I’ve had something like this in mind for a while.)
Edited 2009-05-26 20:52 UTC
The current release of OLPC uses Linux-VServer to implement part of Bitfrost. Effectively, every application is contained by running it alone in its own virtual machine. It can impose resource usage restrictions far beyond what I believe SELinux to be capable of. (I might be wrong on that last part.)
Hi,
I think the implemented Bitfrost moved past using the vserver patch into using the rainbow daemon.
http://wiki.laptop.org/go/Rainbow
Here’s an old mail where Michael Stone explains why he disn’t use SElinux:
http://lists.laptop.org/pipermail/security/2008-January/000370.html
Fascinating stuff
VMs are too expensive.
I would think, this concept should just go to a mainstream. All binaries are untrusted. And all scripts are untrusted. If you have a worm, it can modify any script or binary and do something unexpected. So, if some component can do only explicitly described actions and nothing else, it would create a safe system by definition.