Re: Add a flag/option to disallow all network access?

[Michael Weiss <dev.primeos-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>]

On Thu, 17 Jun, 2021 at 13:08:59 -0700, John MacFarlane wrote:
> Yes, I've been wanting to do something like this.
> https://github.com/jgm/pandoc/issues/5045

That's awesome, thanks for the reply! In hindsight I should've searched
for "sandbox" as well. Restricting any IO (apart from the files
specified via CLI parameters) via the PandocPure monad seems like the
best idea and I also like the "--sandboxed" parameter name. I think that
would be a nice addition (like [0] already states) but it seems like the
implementation is unfortunately much more complicated than I thought.

I'll subscribe to the GitHub issue and from my side we can consider this
thread resolved then :)

Joseph wrote:
> This doesn't address your feature request, but it could be a useful hack: set a null http proxy (with an instantaneous timeout) with whatever tool you use, whether it's lynx, w3m, links, etc. I don't know if this can be done with pandoc's `--request-header=`.

That's an interesting idea, I somehow didn't think of that. Using a
network namespace with only the loopback interface would be another
option to guaranty there won't be any network I/O, e.g.:
unshare --user --net pandoc --from=html+raw_html --to=plain

However, both approaches could still leak information via DNS (not sure
about proxy clients but e.g. nscd can still cause DNS requests when
using network namespaces without additional countermeasures).

If the sandboxing is really important it might be best to use an
existing security sandbox like Firejail or Bubblewrap.

But a "--sandboxed" option for Pandoc would seem interesting
nonetheless (e.g. if user namespaces or a suid security sandbox isn't
available and a Pandoc option would be much easier to use).

Anyway, thanks for that idea.

[0]: https://github.com/jgm/pandoc/issues/5045#issuecomment-504469702

-- 
You received this message because you are subscribed to the Google Groups "pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit https://groups.google.com/d/msgid/pandoc-discuss/YMvAoe5GNqghNAM6%40jarvis.primeos.dev.