Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve sandboxing to allow more granular permissions #1358

Open
tionis opened this issue Jan 11, 2024 · 11 comments
Open

Improve sandboxing to allow more granular permissions #1358

tionis opened this issue Jan 11, 2024 · 11 comments

Comments

@tionis
Copy link
Contributor

tionis commented Jan 11, 2024

I'd like the sandbox (or a similar command that's more powerful, perhaps called sandcastle 😜 ) to support limiting network connections per host and file operations per path (also restrict to read, write or read/write etc.)
I might work on this when I find some time, but I wanted to create this issue to track ideas around this.
To summarize, the following features could be added to sandbox:

  • allow specifying a list of allowed paths for sandboxing (directories allow implicit access to all files in them)
  • allow limiting file access by capability (read, read/write etc.)
  • allow specifying a list of allowed hosts for networking connections during sandboxing (subdomains might be allowed or not based on input)
  • these lists could also be replaced by a peg to allow users to specify more complicated patterns (this would of course carry a performance penalty)
@iacore
Copy link
Contributor

iacore commented Jan 11, 2024

sandboxing is a task that should be done by the operating system.

@sogaiu
Copy link
Contributor

sogaiu commented Jan 11, 2024

At least some of what is proposed seems like reasonable extensions to the existing sandbox function.


On a side note, as an example of a concrete use case, the sandbox feature was already put to good use by @AlecTroemel in the Janet support for TIC-80 to improve the security situation. See this PR if interested.

@tionis
Copy link
Contributor Author

tionis commented Jan 14, 2024

I'm mainly interested in laying some groundwork for a more granular permission model so that it could maybe later be also exposed in janet's cli.
I'm mainly inspired by deno's permission model and think that janet's good fit for scripting could benefit from that.

@amano-kenji
Copy link
Contributor

amano-kenji commented Jan 22, 2024

Janet's own sandboxing should not conflict with external sandboxing by things like firejail, SELinux, and apparmor.

If janet does its own sandboxing, I want to impose more restrictions through firejail and apparmor.

@amano-kenji
Copy link
Contributor

I'm worried that granular internal sandboxing will make janet bloated....

@amano-kenji
Copy link
Contributor

Whitelisting approach will force janet to carry lists of common whitelisted paths. Apparmor and firejail carry such lists.

Even apparmor can't block outgoing network connections by hostname. I don't know whether SELinux can do that.

Apparmor can allow unix domain sockets by paths. It can't allow network connections by IP addresses or hosts.

@amano-kenji
Copy link
Contributor

amano-kenji commented Jan 22, 2024

I think this is the kind of thing that's best written as an external tool. You could write such a tool in janet and C.

However, I already have firejail and apparmor for that. I don't want to reinvent wheels.

@amano-kenji
Copy link
Contributor

amano-kenji commented Jan 22, 2024

I'm mainly interested in laying some groundwork for a more granular permission model so that it could maybe later be also exposed in janet's cli.

If you want this to be configured in command line options, then you should probably just use firejail or apparmor....

If janet ever does this, only sandboxing API makes sense. Landlock is linux sandboxing API.

You really don't want to specify granular permissions on command line unless command line options are constructed programmatically. You want something like a firejail/apparmor profile for granular permissions.

@amano-kenji
Copy link
Contributor

allow specifying a list of allowed hosts for networking connections during sandboxing (subdomains might be allowed or not based on input)

That's the job of firewall. Even SELinux doesn't block outgoing network connections by hosts or IP addresses.

@amano-kenji
Copy link
Contributor

allow limiting file access by capability (read, read/write etc.)

This is what apparmor does with profiles..... I really don't want to write verbose permissions on command line.....

@amano-kenji
Copy link
Contributor

amano-kenji commented Jan 22, 2024

My assessment is that this is best done as an external janet library that sandboxes a janet function....

Or, it goes into spork... I don't know whether it's possible to sandbox janet.... from within...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants