First of all let’s define what we want: - A way to intercept socket() family calls. - The ability to deny only non-local connections. - The ability to deny connect()’s to only addresses that were bind()‘ed by children that were running under the same sydbox instance. - Ability to whitelist certain addresses.
The first is easy. We already have a framework for intercepting many system
calls and adding support for
socket() wasn’t a problem. The only problem is on
architectures which has the
socketcall() system call and implement
all other calls on top of this single system call, we need to decode this
socketcall() into it’s subcalls. So we need two functions
trace_get_addr. Implementing those were easy
because strace already has similar functions.
Now that we can intercept socket calls the next step is to deny only non-local
connections. This means just checking the address of the connection if it
::1. Simple and efficient.
The third step is somewhat complicated. We have to check the return value of bind calls and if they succeeded, note these addresses and corresponding ports. This means a form of whitelist is required.
Having implemented the whitelist for step 3, it was easy to expand it to take its elements from user configuration file or magic commands.
It’s all done! Here’s how it looks like in the configuration file:
[main] ... # whether sydbox should do network sandboxing # defaults to false network = false ... # Network specific options are specified in the net group [net] # Network sandboxing default # One of allow, deny, local # Defaults to allow default = allow # Whether connect(2) requests should be restricted to addresses that were # bind(2)'ed by one of the parents. # Defaults to false restrict_connect = false # Additional addresses to be allowed when restrict_connect is set. # This is a list of addresses in one of the possible forms: # unix:///path/to/socket # inet://ipv4_address:port # inet6://ipv6_address:port whitelist = unix:///var/run/nscd/socket
In addition to that there are magic commands so that the package mangler can change those options at runtime. See the manual page for more information.
Update : Fixed links thanks to cuerty.