App-EvalServerAdvanced
4 results

 view release on metacpan or  search on metacpan

README.pod  view on Meta::CPAN 

=head1 USE

You're going to want to review at least the source of L<App::EvalServerAdvanced::Sandbox> and L<App::EvalServerAdvanced::Seccomp>.
These two modules are responsible for most of the security features of the whole system.  Familiarity with them is HIGHLY recommended.

Included in this dist is a command L<esa-makesandbox> that will create a skeleton for a sandbox for you with my opinionated recommendations.

=head1 SECURITY

This system exercises a series of defense in depth measures.  However they are not perfect.
If a kernel level exploit exists to get higher privileges (Dirty COW is a good example), it could be used to write to any bind mounted directory.

My recommendations for extra protection are to use a copy of a running system in the sandbox, and not actually use the /lib64 directories from the existing system.
This wouldn't prevent someone from leaving something behind, but would prevent it from being accessed accidentally from the original system.

Take a look at something like C<debootstrap> to create a skeleton debian based system to use in the sandbox.

=head1 WARRANTY

There is none.  You use this at your own risk.  It is opinionated
about what is secure, but it probably isn't secure.  This software

lib/App/EvalServerAdvanced.pm  view on Meta::CPAN 

=head1 USE

You're going to want to review at least the source of L<App::EvalServerAdvanced::Sandbox> and L<App::EvalServerAdvanced::Seccomp>.
These two modules are responsible for most of the security features of the whole system.  Familiarity with them is HIGHLY recommended.

Included in this dist is a command L<esa-makesandbox> that will create a skeleton for a sandbox for you with my opinionated recommendations.

=head1 SECURITY

This system exercises a series of defense in depth measures.  However they are not perfect.
If a kernel level exploit exists to get higher privileges (Dirty COW is a good example), it could be used to write to any bind mounted directory.

My recommendations for extra protection are to use a copy of a running system in the sandbox, and not actually use the /lib64 directories from the existing system.
This wouldn't prevent someone from leaving something behind, but would prevent it from being accessed accidentally from the original system.

Take a look at something like C<debootstrap> to create a skeleton debian based system to use in the sandbox.

=head1 WARRANTY

There is none.  You use this at your own risk.  It is opinionated
about what is secure, but it probably isn't secure.  This software

lib/App/EvalServerAdvanced/Sandbox.pm  view on Meta::CPAN 


  chmod(0555, $work_path); # have to fix permissions on the new / or nobody can do anything!

  unless ($seccomp) {
    App::EvalServerAdvanced::Sandbox::Internal->load_plugins();
    $seccomp = App::EvalServerAdvanced::Seccomp->new();
    $seccomp->load_yaml(config->sandbox->seccomp->yaml); # TODO allow multiple yamls
    $seccomp->build_seccomp;
  }

  my @binds = config->sandbox->bind_mounts->@*;

  # Setup SECCOMP for us
  my $lang_config = config->language->$language;
  die "Language $language not configured." unless $lang_config;

  my $profile = $lang_config->seccomp_profile // "default";

	# Get the nobody uid before we chroot, namespace and do other funky stuff.
	my $nobody_uid = getpwnam("nobody");
	die "Error, can't find a uid for 'nobody'. Replace with someone who exists" unless $nobody_uid;

lib/App/EvalServerAdvanced/Sandbox.pm  view on Meta::CPAN 

    mount("tmpfs", $work_path, "tmpfs", 0, {size => $tmpfs_size});
    mount("tmpfs", $work_path, "tmpfs", MS_PRIVATE, {size => $tmpfs_size});

    path($jail_path)->mkpath();
    # put this all in a tmpfs, so that we don't pollute anywhere if possible.  TODO this should be overlayfs!
    path("$work_path/tmp/.overlayfs")->mkpath();
    # setup /tmp
    path($jail_tmp)->mkpath;

    umask(0);
    for my $bind (@binds) {
      my $src = _rel2abs($bind->{src});
      my $target = $bind->{target};

      if ($target eq config->sandbox->home_dir) {
        # We need to use overlayfs to bring the homedir in, so it's writable inside
        # without being writable to the outside

        $target = $work_path . "/home";
      } else {
        $target = $jail_path . $target;
      }

skel-sandbox/etc/config.toml  view on Meta::CPAN 

[sandbox]
# Relative paths are turned to absolute ONLY by using the mount_base path
# target path's are absolute and only exist in the sandbox
home_dir = "/eval"
mount_base = "/path/to/system"
plugin_base = "/path/to/plugins" # TODO is this good?
plugins = ["Perlbot", "PerlbotEggs"]

# Be careful with these, if you mount stuff under an existing directory on your
# system a directory will be created there in order to facilitate the private
# bind mount.  This is part of why I recommend using debootstrap or similar
# To create a shadow system for the evalserver

bind_mounts = [
	{src = "lib64",           target = "/lib64"},
	{src = "lib",             target = "/lib"},
	{src = "usr/lib",         target = "/usr/lib"},
	{src = "usr/bin",         target = "/usr/bin"},
	{src = "opt/perlbrew/",   target = "/opt/perlbrew/"},
]

[sandbox.seccomp]
yaml = "etc/seccomp.yml"



( run in 1.176 second using v1.01-cache-2.11-cpan-2398b32b56e )