One of the coolest new toys that I was recent told about that’s available in Linux (at least Fedora/RHEL 6, not sure about Debian-based stuff or Suse) is the sandbox application. A massive hat tip to Dan Walsh, the author of this app, for showing it off in a recent SELinux talk.
From its man page:
Run the cmd application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The -M option will mount an alternate homedir and tmpdir to be used by the sandbox. If you have the policycoreutils-sandbox package installed, you can use the -X option and the -M option. sandbox -X allows you to run X applications within a sandbox. These applications will start up their own X Server and create a temporary home directory and /tmp. The default SELinux policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Files specified on the command that are in the home directory or /tmp will be copied into the sandbox directories. If directories are specified with -H or -T the directory will have its context modified with chcon(1) unless a level is specified with -l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels.
That all sounds well and good. But how does this help me? WELL… the first one that popped into my head is opening up documents from the web that I’m not really sure about. A PDF from someone or some site that you think might contain a script that does bad things, but I REALLY want to look at it. Take a peek in a sandbox!
$ sandbox -X firefox ~/test.pdf
and *poof*, Firefox opens up the PDF for me. BUT, when looking through this instance of Firefox can’t see my home directory contents, or my normal temp folder. It’s also running inside it’s own X server instance. And most importantly, the instance is running in an extremely limited SELinux context.
So if this PDF contains a nasty of some sort that is trying to read my plaintext file that contains my web passwords and creditcard data, it can’t see it to get to it.
It’s all nice and easy and locked down and safe(r) and way easier than creating a chroot jail.