May 26th, 2009

Introducing the SELinux Sandbox

The other day some of my colleagues and I were discussing a recent request for the Linux Kernel to add "security sandbox" functionality.  We talked about how we could do this with SELinux.  The discussions brought up an old Bug report of my about writing policy for the "little things".  SELinux does a great job of confining System Services, but what about applications executed by users.  The bug report talked about confining grep, awk, ls ...  The idea was couldn't we stop the grep or the mv command from suddenly opening up a network connection and copying off my /etc/shadow file to parts unknown.  
Collapse )