Sandboxing applications

Sandboxing applications

[Lonnie Cumberland]

[-- Attachment #1: Type: text/plain, Size: 1526 bytes --]

Hi All,

I hope that everyone is doing well today.

Recently, I have mostly stepped away from Linux, FreeBSD, and Windows 
OS's to dive into Illumos and its associated OS's (SmartOS, OmniOS, and 
OpenIndiana) to gain more experience so that I an work on a new Illumos 
based OS.

For my project direction and in addition to the amazing features that 
Illumos-based systems have like Zones which are extremely useful, I also 
have a need for application sandboxes and found that Solaris 11.4 
discusses it from what I could find 
(https://blogs.oracle.com/solaris/post/application-sandboxing-in-oracle-solaris-114) 
and (https://docs.oracle.com/cd/E37838_01/html/E61023/dlp-sbox.html) and 
seem to be built into the OS.

Since I am not yet familiar with the Illumos code-base and am also still 
new this arena, I wanted to ask if Illumos has an application sandbox 
feature already.

Additionally, I found that there basically are "Sparse Root Zones (SRZ)" 
and "Whole Root Zones (WRZ)" as well that basically map various 
Global-Zone file directories into the non-Global Zone, and it made me 
wonder about Sandboxes and also perhaps non-global zones that are mapped 
with even less directories than SRZ.

Anyway, I am just thinking about some ideas for the project but 
application sandboxes would be extremely useful since I think that they 
are even smaller than the SRZ zones.

Any thought, ideas or suggestions would be greatly appreciated.

Thanks in advance and have a great day,
Lonnie

[-- Attachment #2: Type: text/html, Size: 2236 bytes --]

Re: [developer] Sandboxing applications

[Peter Tribble]

[-- Attachment #1: Type: text/plain, Size: 3036 bytes --]

Lonnie,

On Fri, Jul 12, 2024 at 1:00 AM Lonnie Cumberland via illumos-developer <
developer@lists.illumos.org> wrote:

> Hi All,
>
> I hope that everyone is doing well today.
>
> Recently, I have mostly stepped away from Linux, FreeBSD, and Windows OS's
> to dive into Illumos and its associated OS's (SmartOS, OmniOS, and
> OpenIndiana) to gain more experience so that I an work on a new Illumos
> based OS.
>
> For my project direction and in addition to the amazing features that
> Illumos-based systems have like Zones which are extremely useful, I also
> have a need for application sandboxes and found that Solaris 11.4 discusses
> it from what I could find (
> https://blogs.oracle.com/solaris/post/application-sandboxing-in-oracle-solaris-114)
> and (https://docs.oracle.com/cd/E37838_01/html/E61023/dlp-sbox.html) and
> seem to be built into the OS.
>
> Since I am not yet familiar with the Illumos code-base and am also still
> new this arena, I wanted to ask if Illumos has an application sandbox
> feature already.
>

Not in that form or anything like it, no.

You could use ppriv to limit application privileges, which provides some of
the sandboxing
capability. One thing we don't have as far as I'm aware is the ability to
restrict access to a
list of files, which would be convenient.


> Additionally, I found that there basically are "Sparse Root Zones (SRZ)"
> and "Whole Root Zones (WRZ)" as well that basically map various Global-Zone
> file directories into the non-Global Zone, and it made me wonder about
> Sandboxes and also perhaps non-global zones that are mapped with even less
> directories than SRZ.
>

In Tribblix I have this thing called mvi zones, where the zone just has an
application and
whatever files necessary for it to run. In the case of applications written
in go, this can be
a very small list indeed (libc, nsswitch, and basic contents of /etc). Sort
of like docker
images. Ought to finish that project off one of these days, it's just a
prototype at the moment.

I've also played around with running desktop apps sandboxed in regular
zones, rather like
Qubes. It works after a fashion, but performance needed some improvement.


> Anyway, I am just thinking about some ideas for the project but
> application sandboxes would be extremely useful since I think that they are
> even smaller than the SRZ zones.
>
> Any thought, ideas or suggestions would be greatly appreciated.
>
> Thanks in advance and have a great day,
> Lonnie
> *illumos <https://illumos.topicbox.com/latest>* / illumos-developer / see
> discussions <https://illumos.topicbox.com/groups/developer> + participants
> <https://illumos.topicbox.com/groups/developer/members> + delivery options
> <https://illumos.topicbox.com/groups/developer/subscription> Permalink
> <https://illumos.topicbox.com/groups/developer/T6863e83cdd0bd7a3-Mf99031ddd662dcb1204d5047>
>


-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/

[-- Attachment #2: Type: text/html, Size: 4927 bytes --]

Re: [developer] Sandboxing applications

[Joshua M. Clulow]

On Fri, 12 Jul 2024 at 02:15, Peter Tribble <peter.tribble@gmail.com> wrote:
> You could use ppriv to limit application privileges, which provides some of the sandboxing
> capability. One thing we don't have as far as I'm aware is the ability to restrict access to a
> list of files, which would be convenient.

I've talked with some folks recently about this, in particular.  We
could probably add a compatible implementation of the "Extended
Policy" facility that was added after the gate closed.  It integrates
with the existing privileges(5) stuff, but with constrained targets;
e.g.,

    - file_dac_read supports globs on file paths
    - net_privaddr supports nominating specific TCP or UDP port numbers
    - proc_setid allows a process to change to a specific range of UIDs

-- 
Joshua M. Clulow
http://blog.sysmgr.org