More sandboxing
When working on untrusted code or data it's impossible to predict what
happens when one does a:
bundle install --path=vendor
or
npm install
Does this phone out your private SSH and GPG keys? Does a
evince Downloads/justdownloaded.pdf
try to exploit the PDF viewer? While you can run stuff in separate
virtual machines this can get cumbersome.
libvirt-sandbox to the
rescue! It allows to sandbox applications using
libvirt's
virtualization drivers. It took us a couple of years (The ITP is from
2012) but we finally have it in Debian's
NEW queue. When libvirt-sandbox creates
a sandbox it uses your root filesystem mounted read only by default so
you have access to all installed programs (this can be changed with
the
--root option though). It can use either libvirt's
QEMU or
LXC drivers. We're using the later in the examples below:
So in order to make sure the above bundler call has no access to your
$HOME you can use:
sudo virt-sandbox \
-m ram:/tmp=10M \
-m ram:$HOME=10M \
-m ram:/var/run/screen=1M \
-m host-bind:/path/to/your/ruby-stuff=/path/to/your/ruby-stuff \
-c lxc:/// \
-S $USER \
-n rubydev-sandbox \
-N dhcp,source=default \
/bin/bash
This will make your $HOME unaccessible by mounting a tmpfs over it and
using separate network, ipc, mount, pid and utc namespaces allowing
you to invoke bundler with less worries. /path/to/your/ruby-stuff is
bind mounted read-write into the sandbox so you can change files
there. Bundler can fetch new gems using libvirt's default network
connection.
And for the PDF case:
sudo virt-sandbox \
-m ram:$HOME=10M \
-m ram:/dev/shm=10M \
-m host-bind:$HOME/Downloads=$HOME/Downloads \
-c lxc:/// \
-S $USER \
-n evince-sandbox \
--env="DISPLAY=:0" \
--env="XAUTHORITY=$XAUTHORITY" \
/usr/bin/evince Downloads/justdownloaded.pdf
Note that the above example shares /tmp with the sandbox in order to
give it access to the X11 socket. A better isolation can probably be
achieved using xpra or xvnc but I haven't looked into this yet.
Besides the command line program
virt-sandbox there's also the
library
libvirt-sandbox which makes it simpler to build new
sandboxing applications. We're not yet shipping
virt-sandbox-service
(a tool to provision sandboxed system services) in the Debian packages
since it's RPM distro specific. Help on porting this to Debian is
greatly appreciated.