Re: Sandbox thoughts

[Alexander Larsson <alexl redhat com>]

On tor, 2015-03-05 at 15:26 -0800, Andy Lutomirski wrote:
> On Wed, Mar 4, 2015 at 3:14 AM, Alexander Larsson <alexl redhat com> wrote:

> Fair enough.
>
> Eric, I don't understand the mount propagation code at all.  Could
> there be "propagate read-only" mode?  (Presumably along with nodev,
> nosuid, and noexec.)

Completely unrelated, but while i have some kernel people on the line:

Any chance someone could make it be possible to share the network
namespace with the host, yet still get your own abstract unix socket
address space. These two are currently tightly bound, which is a problem
if you want to use the host network namespace to allow the app "normal"
access to the network stack, because it *also* gives the app full access
to all local abstract sockets, and those don't even have any permission
checks.

For instance, would it be possible to say add a prefix string which is
applied to all abstract sockets? Or maybe just a separate namespace for
these?

Regular unix domain sockets are really all that is needed, and they work
with bind mounts so i can set up access to them however I want, so
another alternative is to just make it possible to disable abstract
sockets use in a container. Unfortunately this is not doable with
seccomp, and while it may be doable in selinux it is hardly simple, and
depends on that being in enforcing mode.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl redhat com            alexander larsson gmail com 
He's a shy shark-wrestling card sharp on a search for his missing sister. 
She's a warm-hearted thirtysomething research scientist living on 
borrowed time. They fight crime!