Feature #6178

Evaluate current state of Linux namespaces

Added by intrigeri 2013-07-20 01:42:22 . Updated 2018-09-14 11:15:44 .

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2013-07-20
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Starter:
1
Affected tool:
Deliverable for:

Description

We should evaluate if a container-based solution (e.g. LXC or unshare(1)) is now a viable, secure-enough solution for creating isolated jails.

See the blueprint for the current state of our research.


Subtasks


Related issues

Related to Tails - Feature #5525: Sandbox the web browser Resolved 2015-01-24 2015-02-04
Related to Tails - Bug #9534: Tighten AppArmor policy Resolved 2015-06-04
Related to Tails - Feature #15874: Start looking at technologies used by snap/Flatpak for user-friendlier sandboxing Confirmed 2018-08-30

History

#1 Updated by intrigeri 2014-02-20 10:17:50

  • Description updated

#2 Updated by intrigeri 2014-02-20 10:19:20

  • Description updated

#3 Updated by Dr_Whax 2014-03-02 12:36:46

I asked Spender who works on Grsecurity what his view on this ticket is. Basically what he said is:

Spender: if you were using grsec[1], that existing chroot would be effectively equivalent to the namespaces, minus the extra work. What I don’t see there is any discussion of what you want that you don’t have now and what the attack vectors are. For instance, if you’re worried about exploiting suid/sgid bins, then NNP[2] is an option too.

So what we should discuss is, what do we care about when we want to harden the browsers and Tor? I’m afraid that with existing namespaces and without a patched kernel with Grsec, we basically provide security with the equivalent of a chroot (hint, that isn’t a lot of security). I would even add Pidgin to the list of things to harden here, since it’s a castle made of sand.

My 0,02.

[1] https://grsecurity.net/
[2] “No New Privileges” [PR_SET_NO_NEW_PRIVS prctl]

#4 Updated by intrigeri 2014-03-04 00:22:44

Thank you for working on this!

Dr_Whax wrote:
> I’m afraid that with existing namespaces and without a patched kernel with Grsec, we basically provide security with the equivalent of a chroot (hint, that isn’t a lot of security).

The way I understand Spender’s comment, “namespaces = chroot as improved by grsec +
more work”, not “namespaces = chroot”. Did I miss anything?

BTW, this is Tails 2.0 material, not a WIP, that’s why the actual threat model etc. has not been thought through yet. Of course, you are more than welcome to work on this before 1.1 is out, but I just wanted to make clear you are walking in unknown territory, and the rest of the team will be swamped with the work towards Tails 1.0 and 1.1 until mid-June, so perhaps not very reactive on this topic.

#5 Updated by Dr_Whax 2014-07-10 15:54:56

SubgraphOS will be based on Grsecurity and LXC. Effectively, the namespaces get the same security properties as the host machine with a GRSecurity kernel.

Using just LXC will be raising the bar a little bit for an attacker to try and break-out of this. But as Spender said, it’s just a chroot and if we are not careful, we might introduce more vulnerabilities than fixing them.

I will ping the SubgraphOS people on how they plan to implement LXC.

#6 Updated by intrigeri 2014-08-03 15:08:59

  • Assignee set to Dr_Whax
  • QA Check set to Info Needed

Dr_Whax wrote:
> I will ping the SubgraphOS people on how they plan to implement LXC.

Any news on that one?

I’ve read somewhere that they use LXC + xpra. In this vein, we should have a look at:

#7 Updated by intrigeri 2014-08-03 15:33:47

  • Description updated
  • Blueprint set to https://tails.boum.org/blueprint/Linux_containers/

#8 Updated by intrigeri 2014-10-05 06:14:33

#9 Updated by intrigeri 2015-01-13 18:36:04

#10 Updated by intrigeri 2015-01-13 18:36:11

#11 Updated by Dr_Whax 2015-07-01 13:55:29

intrigeri wrote:
> Dr_Whax wrote:
> > I will ping the SubgraphOS people on how they plan to implement LXC.
>
> Any news on that one?
>
> I’ve read somewhere that they use LXC + xpra. In this vein, we should have a look at:
>
> * http://pleonasm.info/blog/2012/10/privilege-separation-with-xpra/
> * https://github.com/rogaha/docker-desktop
> * https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/ and especially https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
> * https://unix.stackexchange.com/questions/134939/x-and-xdotool-in-lxc-instead-of-kvm
> * https://stackoverflow.com/questions/16296753/can-you-run-gui-apps-in-a-docker

They have open sourced their sandboxing method: https://github.com/subgraph/oz i’ll update the blueprint accordingly.

#12 Updated by intrigeri 2017-06-05 14:14:29

  • related to Bug #9534: Tighten AppArmor policy added

#13 Updated by intrigeri 2017-06-05 14:15:24

There’s been a huge amount of progress on this front in the last 2-3 years, both in the Linux kernel and on sandboxing wrappers. I’m confident we can start making good use of it as soon as we have time to invest there :)

#14 Updated by Anonymous 2017-06-27 14:53:26

  • QA Check deleted (Info Needed)

Info has been provided it seems.

#15 Updated by Dr_Whax 2018-08-25 13:00:38

ChromeOS recently introduced Linux containers, so you’re able to run you’re own Debian container/vm within ChromeOS.

The design is outlined here: https://chromium.googlesource.com/chromiumos/docs/+/master/containers_and_vms.md

There’s some open issues like no sound or accelerated graphics from within the container but these are open issues for now. Hopefully, Google either improves it upstream or similar so we all benefit from it.

Will update the blueprint with this link. My own chromebook won’t be supported so I unfortunately can’t test it out. But i’m curious how they’ll introduce this UX/UI wise into chromeos..

#16 Updated by intrigeri 2018-09-14 11:14:00

  • related to Feature #15874: Start looking at technologies used by snap/Flatpak for user-friendlier sandboxing added

#17 Updated by intrigeri 2018-09-14 11:14:03

#18 Updated by intrigeri 2018-09-14 11:15:44

  • Status changed from Confirmed to Rejected
  • Assignee deleted (Dr_Whax)

Next step is Feature #15874.