From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from tb-mx1.topicbox.com (localhost.local [127.0.0.1]) by tb-mx1.topicbox.com (Postfix) with ESMTP id 4499D1602623 for ; Fri, 12 Jul 2024 05:15:12 -0400 (EDT) (envelope-from peter.tribble@gmail.com) Received: from tb-mx1.topicbox.com (localhost [127.0.0.1]) by tb-mx1.topicbox.com (Authentication Milter) with ESMTP id 2B07D6860DB; Fri, 12 Jul 2024 05:15:12 -0400 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1720775712; b=V3IrCJildeRHysXC0ZsgkCb/FLg17N/Kko7SE0Dv4DRNgrt/az 9yOo6m+r2Je/d0qVlhug+F6q7QR/fXke874vF9d1CiW/nE7ttB9dVNewZPj/6yAU KpbMbsdX82G3PxGrN79erH4HhaVwKby514Wt6BgUpXG9zVZBFIdWL28rYsYxkgcm o/qyX2wYUcza5p7k5J9a7zef9ulksNLsAyUt2hgsgMXgwMk1bC7iDTzzz+IVIXl7 2qv3PXwvjB6cNomnKECQu55FfkgJv45pywJ2dhqLmxOcSojBnEMFAA4XV+B7TbIW Fhm4NHL3irkQttOER2ROzOt0rShY5EFlbrYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; s=arcseal; t=1720775712; bh=jBdyjzRmaVbatjB2s/bdOTovUVF/ecvH+boqU2rvlj0=; b=HSm65yeePecD MOF7ayjx33UrJtKyOQnrUhr+xS4DLpW/5vuDRqy90uh+N63aVa4M4LwhFMlOG4kJ zIt7STWzBNoRdy1PNgzB7pLDZj9AAfqDqSA8hOPJg1coRc8j22UG/sSZkGnvjuQS k/2gzQF8aQCF0dNTFz6hkagPXaxhQjxANJlhZj2X1IysR86Ry2pUdKJFp5b8luxV vHC11a8F2P9fwV+a2gCMUhLY3EwAlBGLJGvp4ftZoM0I4w3PQ7diIid1qW8J/Yx3 /cU6nN6tVRoEXNpSfryLzRza7fZGX1shufcMvYh8K1YLEyHdBWDDInxoBa++QbPR lDz59MS6hA== ARC-Authentication-Results: i=1; tb-mx1.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=pass (2048-bit rsa key sha256) header.d=gmail.com header.i=@gmail.com header.b=CfnlMADf header.a=rsa-sha256 header.s=20230601 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=none,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=gmail.com; iprev=pass smtp.remote-ip=209.85.161.53 (mail-oo1-f53.google.com); spf=pass smtp.mailfrom=peter.tribble@gmail.com smtp.helo=mail-oo1-f53.google.com; x-aligned-from=pass (Address match); x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=C2mmH9+x; x-me-sender=none; x-ptr=pass smtp.helo=mail-oo1-f53.google.com policy.ptr=mail-oo1-f53.google.com; x-return-mx=pass header.domain=gmail.com policy.is_org=yes (MX Records found: gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com,alt4.gmail-smtp-in.l.google.com,alt1.gmail-smtp-in.l.google.com); x-return-mx=pass smtp.domain=gmail.com policy.is_org=yes (MX Records found: gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com,alt4.gmail-smtp-in.l.google.com,alt1.gmail-smtp-in.l.google.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=-51 state=0 Authentication-Results: tb-mx1.topicbox.com; arc=none (no signatures found); bimi=skipped (DMARC Policy is not at enforcement); dkim=pass (2048-bit rsa key sha256) header.d=gmail.com header.i=@gmail.com header.b=CfnlMADf header.a=rsa-sha256 header.s=20230601 x-bits=2048; dmarc=pass policy.published-domain-policy=none policy.published-subdomain-policy=quarantine policy.applied-disposition=none policy.evaluated-disposition=none (p=none,sp=quarantine,d=none,d.eval=none) policy.policy-from=p header.from=gmail.com; iprev=pass smtp.remote-ip=209.85.161.53 (mail-oo1-f53.google.com); spf=pass smtp.mailfrom=peter.tribble@gmail.com smtp.helo=mail-oo1-f53.google.com; x-aligned-from=pass (Address match); x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=C2mmH9+x; x-me-sender=none; x-ptr=pass smtp.helo=mail-oo1-f53.google.com policy.ptr=mail-oo1-f53.google.com; x-return-mx=pass header.domain=gmail.com policy.is_org=yes (MX Records found: gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com,alt4.gmail-smtp-in.l.google.com,alt1.gmail-smtp-in.l.google.com); x-return-mx=pass smtp.domain=gmail.com policy.is_org=yes (MX Records found: gmail-smtp-in.l.google.com,alt2.gmail-smtp-in.l.google.com,alt3.gmail-smtp-in.l.google.com,alt4.gmail-smtp-in.l.google.com,alt1.gmail-smtp-in.l.google.com); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=-51 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgeeftddrfeeigddtlecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenogfuuhhsphgvtghtffhomhgrihhnucdlgeelmdenucfjughrpegg fhgjhfffkffuvfgtsegrtderredttdejnecuhfhrohhmpefrvghtvghrucfvrhhisggslh gvuceophgvthgvrhdrthhrihgssghlvgesghhmrghilhdrtghomheqnecuggftrfgrthht vghrnhepteeigfdttefhleekheejheekuedukeevueefleevffetveettefgvedtvdelje ehnecuffhomhgrihhnpehorhgrtghlvgdrtghomhdpthhophhitggsohigrdgtohhmpdhp vghtvghrthhrihgssghlvgdrtghordhukhdpsghlohhgshhpohhtrdgtohhmnecukfhppe dvtdelrdekhedrudeiuddrheefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm pehinhgvthepvddtledrkeehrdduiedurdehfedphhgvlhhopehmrghilhdqohhouddqfh ehfedrghhoohhglhgvrdgtohhmpdhmrghilhhfrhhomhepoehpvghtvghrrdhtrhhisggs lhgvsehgmhgrihhlrdgtohhmqedpnhgspghrtghpthhtohepuddprhgtphhtthhopeeoug gvvhgvlhhophgvrheslhhishhtshdrihhllhhumhhoshdrohhrgheq X-ME-VSScore: -51 X-ME-VSCategory: clean Received-SPF: pass (gmail.com ... _spf.google.com: Sender is authorized to use 'peter.tribble@gmail.com' in 'mfrom' identity (mechanism 'include:_netblocks.google.com' matched)) receiver=tb-mx1.topicbox.com; identity=mailfrom; envelope-from="peter.tribble@gmail.com"; helo=mail-oo1-f53.google.com; client-ip=209.85.161.53 Received: from mail-oo1-f53.google.com (mail-oo1-f53.google.com [209.85.161.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx1.topicbox.com (Postfix) with ESMTPS for ; Fri, 12 Jul 2024 05:15:11 -0400 (EDT) (envelope-from peter.tribble@gmail.com) Received: by mail-oo1-f53.google.com with SMTP id 006d021491bc7-5c66de0c24bso952334eaf.1 for ; Fri, 12 Jul 2024 02:15:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720775711; x=1721380511; darn=lists.illumos.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=jBdyjzRmaVbatjB2s/bdOTovUVF/ecvH+boqU2rvlj0=; b=CfnlMADfkXbvDagmDL+NZ4GzvgGQdxL+FUsSLg/3+TUa3kqSG53efs9/mRz7YWm8Eb 78xpTPfD1B6/4+FV1dk19mDv9/OIkbFaEfvRlXXxHYUkZgG0OXkY+7IQEWcc6Ek8UL+F SpX6XQ97gJOkThzQ2dKz5+jO/3FfKgpzU2RyiCTWpmMAwBSbSJIhrxLNfCkoHjBkbDY7 GapFEHW4srkr9TWwviyOOZJcDA7YXR5dvOjvGjewmnLQfmlnMQkomw8BVN4r2k0SJXwW WCzQXdcMD2anzX0GbCZSzD/6i9GyVzsXSggZ1lxS0870mImeubctfcNDDkF4PtDF+wMF KgAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720775711; x=1721380511; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jBdyjzRmaVbatjB2s/bdOTovUVF/ecvH+boqU2rvlj0=; b=C2mmH9+x/5JnFL96+l4pM7fktmivh7NR+eDbizEOKXVaKeMkgujMVxWg+D2tL6QjPS R/WzQPtJClylILXb6JWbrWYLbXd2c9AoIse0A+rn2u8acxiC8lPQylgO5X8P9fQsGpcr Cwk6sXqv+dxweXLXswMqko/ho2ActgUAffilXjjOgP8djRj2Ixo8nBMbjQ1yfjMnA/9R fmKsVGOmDsDrRFlyzOBsnugIUrlS3WReV23Bfkc20OjBnekjZE/bPrAb6qvTJfq6+3xu xIVjl4dgcIvpRgV6+93hs2G8OLVT4DKMWn4vpdecrGW87tg3s4sij6f4F+y68+KmTdgg 0o9A== X-Gm-Message-State: AOJu0YzPUkeLZMuM36qbNZANyOnwDXjDb0bTFX/dJTlY2Fx293tJbygV WMu3GAOANMGlXjXH8ARXoRBrFyXeLLuXLflSNXltDZef7XSRabKjxOKncqAjDfzA5cUdgdtMT5c qBIND+UtY9JJemCwCCMlvpBSnlnzp X-Google-Smtp-Source: AGHT+IEZrev35fL+hh1WOUYLTn5NRNCNBEBhrz5osMEG3HrIb60Ga34m3UwlcIrcsEsKtbw/OkQ/p9orQKvnTVhEOIw= X-Received: by 2002:a05:6820:2d01:b0:5c4:3ec0:c395 with SMTP id 006d021491bc7-5ccde3e2b27mr1580741eaf.6.1720775710812; Fri, 12 Jul 2024 02:15:10 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Peter Tribble Date: Fri, 12 Jul 2024 10:14:59 +0100 Message-ID: Subject: Re: [developer] Sandboxing applications To: illumos-developer Content-Type: multipart/alternative; boundary="000000000000fb326b061d095072" Topicbox-Policy-Reasoning: allow: sender is a member Topicbox-Message-UUID: 40df0354-402f-11ef-96ac-a4f06fbb60ed --000000000000fb326b061d095072 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Lonnie, On Fri, Jul 12, 2024 at 1:00=E2=80=AFAM Lonnie Cumberland via illumos-devel= oper < developer@lists.illumos.org> wrote: > Hi All, > > I hope that everyone is doing well today. > > Recently, I have mostly stepped away from Linux, FreeBSD, and Windows OS'= s > to dive into Illumos and its associated OS's (SmartOS, OmniOS, and > OpenIndiana) to gain more experience so that I an work on a new Illumos > based OS. > > For my project direction and in addition to the amazing features that > Illumos-based systems have like Zones which are extremely useful, I also > have a need for application sandboxes and found that Solaris 11.4 discuss= es > it from what I could find ( > https://blogs.oracle.com/solaris/post/application-sandboxing-in-oracle-so= laris-114) > and (https://docs.oracle.com/cd/E37838_01/html/E61023/dlp-sbox.html) and > seem to be built into the OS. > > Since I am not yet familiar with the Illumos code-base and am also still > new this arena, I wanted to ask if Illumos has an application sandbox > feature already. > Not in that form or anything like it, no. You could use ppriv to limit application privileges, which provides some of the sandboxing capability. One thing we don't have as far as I'm aware is the ability to restrict access to a list of files, which would be convenient. > Additionally, I found that there basically are "Sparse Root Zones (SRZ)" > and "Whole Root Zones (WRZ)" as well that basically map various Global-Zo= ne > file directories into the non-Global Zone, and it made me wonder about > Sandboxes and also perhaps non-global zones that are mapped with even les= s > directories than SRZ. > In Tribblix I have this thing called mvi zones, where the zone just has an application and whatever files necessary for it to run. In the case of applications written in go, this can be a very small list indeed (libc, nsswitch, and basic contents of /etc). Sort of like docker images. Ought to finish that project off one of these days, it's just a prototype at the moment. I've also played around with running desktop apps sandboxed in regular zones, rather like Qubes. It works after a fashion, but performance needed some improvement. > Anyway, I am just thinking about some ideas for the project but > application sandboxes would be extremely useful since I think that they a= re > even smaller than the SRZ zones. > > Any thought, ideas or suggestions would be greatly appreciated. > > Thanks in advance and have a great day, > Lonnie > *illumos * / illumos-developer / see > discussions + participant= s > + delivery option= s > Permalink > > --=20 -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ --000000000000fb326b061d095072 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Lonnie,

On Fri, Jul 12, 2024 at 1:00=E2=80=AFAM Lo= nnie Cumberland via illumos-developer <developer@lists.illumos.org> wrote:
Hi All,

I hope that everyone is doing well today.

Recently, I have mostly stepped away from Linux, FreeBSD, and Windows OS's to dive into Illumos and its associated OS's (SmartOS, OmniOS, and OpenIndiana) to gain more experience so that I an work on a new Illumos based OS.

For my project direction and in addition to the amazing features that Illumos-based systems have like Zones which are extremely useful, I also have a need for application sandboxes and found that Solaris 11.4 discusses it from what I could find (https://blogs.oracle.com/solaris/pos= t/application-sandboxing-in-oracle-solaris-114)=C2=A0 and (https://docs.oracle.com/cd/E37838_01/html/E61023/d= lp-sbox.html) and seem to be built into the OS.

Since I am not yet familiar with the Illumos code-base and am also still new this arena, I wanted to ask if Illumos has an application sandbox feature already.

Not in that form or anything like it, no.

You could use ppriv to limit application privileges, which provides some = of the sandboxing
capability. One thing we don't have as = far as I'm aware is the ability to restrict access to a
list of file= s, which would be convenient.
=C2=A0
Additionally, I found that there basically are "Sparse Root Zone= s (SRZ)" and "Whole Root Zones (WRZ)" as well that basic= ally map various Global-Zone file directories into the non-Global Zone, and it made me wonder about Sandboxes and also perhaps non-global zones that are mapped with even less directories than SRZ.

In Tribblix I have this thing calle= d mvi zones, where the zone just has an application and
whatever files n= ecessary for it to run. In the case of applications written in go, this can= be
a very small list indeed (libc, nsswitch, and basic contents of /etc= ). Sort of like docker
images. Ought to finish that project off one of t= hese days, it's just a prototype at the moment.

I've also played around with running desktop apps sandboxed in re= gular zones, rather like
Qubes. It works after a fashion, but= performance needed some improvement.
=C2=A0
Anyway, I am just thinking about some ideas for the project but application sandboxes would be extremely useful since I think that they are even smaller than the SRZ zones.

Any thought, ideas or suggestions would be greatly appreciated.
Thanks in advance and have a great day,
Lonnie


--
-Peter = Tribble
htt= p://www.petertribble.co.uk/ - http://ptribble.blogspot.com/
--000000000000fb326b061d095072--