Subject Introducing SELinux sandbox, confining untrusted binaries From Eric Paris <> Date Tue, 26 May 2009 12:54:03 -0400 Dan and I (mostly Dan) have started to play with using SELinux to

confine random untrusted binaries. The program is called 'sandbox.'



http://danwalsh.livejournal.com/28545.html



The idea is to allow administrators to lock down tightly untrusted

applications in a sandbox where they can not use the network and

open/create any file that is not handed to the process. Can be used to

protect a system while allowing it to run some untrusted binary.



A quick dirty example of this sandbox would be to confine the 'cut'

binary. If I wanted to create a file of users on my system from

the /etc/passwd file, I could try



> sandbox cut -d: -f1 /etc/passwd > /tmp/users

/bin/cut: /etc/passwd: Permission denied



Which shows the sandbox domain is not allowed to open /etc/passwd



But I can execute

> cat /etc/passwd | sandbox cut -d: -f1 > /tmp/users



And it works just fine.



Inside the sandbox cut wasn't allowed to get to /etc/passwd. But in the

second example since /etc/passwd was opened by the shell and handed to

cut inside the sandbox it works.



I'd love to hear feedback, suggestions, problems, enhancements,

thoughts, complaints, things of that nature!



Check it out, SELinux confinement made easy.



-Eric







