App-EvalServerAdvanced
view release on metacpan or search on metacpan
These two modules are responsible for most of the security features of the whole system. Familiarity with them is HIGHLY recommended.
Included in this dist is a command L<esa-makesandbox> that will create a skeleton for a sandbox for you with my opinionated recommendations.
=head1 SECURITY
This system exercises a series of defense in depth measures. However they are not perfect.
If a kernel level exploit exists to get higher privileges (Dirty COW is a good example), it could be used to write to any bind mounted directory.
My recommendations for extra protection are to use a copy of a running system in the sandbox, and not actually use the /lib64 directories from the existing system.
This wouldn't prevent someone from leaving something behind, but would prevent it from being accessed accidentally from the original system.
Take a look at something like C<debootstrap> to create a skeleton debian based system to use in the sandbox.
=head1 WARRANTY
There is none. You use this at your own risk. It is opinionated
about what is secure, but it probably isn't secure. This software
will result in the hacking of everyone around you.
=head1 TODO
lib/App/EvalServerAdvanced.pm view on Meta::CPAN
These two modules are responsible for most of the security features of the whole system. Familiarity with them is HIGHLY recommended.
Included in this dist is a command L<esa-makesandbox> that will create a skeleton for a sandbox for you with my opinionated recommendations.
=head1 SECURITY
This system exercises a series of defense in depth measures. However they are not perfect.
If a kernel level exploit exists to get higher privileges (Dirty COW is a good example), it could be used to write to any bind mounted directory.
My recommendations for extra protection are to use a copy of a running system in the sandbox, and not actually use the /lib64 directories from the existing system.
This wouldn't prevent someone from leaving something behind, but would prevent it from being accessed accidentally from the original system.
Take a look at something like C<debootstrap> to create a skeleton debian based system to use in the sandbox.
=head1 WARRANTY
There is none. You use this at your own risk. It is opinionated
about what is secure, but it probably isn't secure. This software
will result in the hacking of everyone around you.
=head1 TODO
lib/App/EvalServerAdvanced/Seccomp.pm view on Meta::CPAN
Also supported are using automatically permutated values by using a string like '{{ open_modes }}'. In this case all possible values will be pre-generated and substituted into the rule to allow any valid set of flags in a syscall
=back
=back
=head1 SECURITY
This is an excercise in defense in depths. The default rulesets
provide a bit of protection against accidentally running knowingly dangerous syscalls.
This does not provide absolute security. It relies on the fact that the syscalls allowed
are likely to be safe, or commonly required for normal programs to function properly.
In particular there are two syscalls that are allowed that are involved in the Dirty COW
kernel exploit. C<madvise> and C<mmap>, with these two you can actually trigger the Dirty COW
exploit. But because the default rules restrict you from creating threads, you can't create the race
condition needed to actually accomplish it. So you should still take some
other measures to protect yourself.
lib/App/EvalServerAdvanced/Seccomp/Plugin/Constants/POSIX.pm view on Meta::CPAN
use POSIX ();
use Function::Parameters;
method init_plugin($class: $seccomp) {
POSIX::load_imports; # make the posix module calculate it's imports
my @consts = grep {/^[A-Z0-9_]+$/} map {;$POSIX::EXPORT_TAGS{$_}->@*} keys %POSIX::EXPORT_TAGS;
for my $name (@consts) {
eval { # hide anything that isn't an actual constant that we got accidentally
no warnings;
my $value = POSIX->can($name)->();
if (defined($value)) {
# print "$name => $value\n";
$seccomp->constants->add_constant($name, $value);
}
}
}
( run in 1.081 second using v1.01-cache-2.11-cpan-de7293f3b23 )