10.01.2014, 21:39, "Joshua Brindle" <brin...@quarksecurity.com>: > Victor Porton wrote: > >> I propose to create a new NetFilter table dedicated to rules created >> programmatically (not by explicit admin's iptables command). >> >> Otherwise an admin could be tempted to say `iptables -F security` which >> would probably break rules created for example by sandboxing software (which >> may follow same-origin policy to restrict one particular program to certain >> domain and port only). Note that in this case `iptables -F security` is a >> security risk (sandbox breaking)? >> >> New table could be possibly be called: >> >> - temp >> - temporary >> - auto >> - automatic >> - volatile >> - daemon >> - system >> - sys >> >> In iptables docs it should be said that this table should not be >> manipulated manually. > > Is it possible that the solution to your sandboxing problem is seccomp > filter? > > http://outflux.net/teach-seccomp/ > > You'd filter out any syscall that can make outbound connections and then > only pass already opened sockets to the sandboxed threads? > > seccomp filter was actually created for sandboxing, so that user > applications could voluntarily shed the ability to call certain syscalls > before handling untrusted data.
seccomp would not work for me, because I need network enabled sandboxes. Moreover we should be able to filter out certain subnets such as 127.0.0.0/255.0.0.0 (and others), This cleanly can't be done with seccomp. -- Victor Porton - http://portonvictor.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
