SyntheticBird45
commented
1 month ago My take is that Cuprate should at the very least implements seccomp_filter (seccomp-bpf).
Open SyntheticBird45 opened 1 month ago
SyntheticBird45
commented
1 month ago My take is that Cuprate should at the very least implements seccomp_filter (seccomp-bpf).
dimalinux
commented
1 month ago Would providing good docker documentation/scripts and possibly even a container as well as telling users not to run as root fall in the scope of this issue? Docker provides seccomp syscall filtering. If filtering is done via docker, end users don't have to trust us developers. With modern compiler features and Rust, injecting syscalls into cuprated is fairly low when ordering attack vectors by viability. If we are worried about 3rd party libraries turning malicious, we'll need to make sure that any security code we run gets executed before any 3rd party code runs.
SyntheticBird45
commented
4 weeks ago Would providing good docker documentation/scripts and possibly even a container as well as telling users not to run as root fall in the scope of this issue? Docker provides seccomp syscall filtering. If filtering is done via docker, end users don't have to trust us developers. With modern compiler features and Rust, injecting syscalls into cuprated is fairly low when ordering attack vectors by viability. If we are worried about 3rd party libraries turning malicious, we'll need to make sure that any security code we run gets executed before any 3rd party code runs.
I doesn't fall into the scope of this issue since it is something external to Cuprate. As explained with Apparmor and SELinux
These are external access control that requires a policy. Cuprate process have no involvements in setting up these access controls methods. An example Apparmor/SELinux policy could be maintained if wished.
I wouldn't be against setting up a script(+ seccomp policy) and documentation file regarding containers (dockers/podman). However, I'm not particularly fan relying exclusively on this method as it forces users to rely on user namespaces for sandboxing, which as explained in its own paragraph:
it is also a trivial way to acquire significantly more kernel attack surface.
I'm part of the paranoid users that disable this kernel feature.
But yeah I'm not against documenting and providing policies for containers. (I will open another issue at some point)
What
This is issue is for discussing sandboxing capabilities built-in Cuprate. It has been a feature proposed at the beginning of the project
Why
Some sandboxing API in operating system requires the running process to setup the jail itself or through the help of a helper. Integrating the use of these API into Cuprate will help at mitigating the damage of a potential bug or exploit if it ever happens, by attempting to enforce a more precise execution of the Principle of least privilege.
How
If available on the platform, Cuprate will use the native OS API to sandbox itself. Cuprate will attempt to restrict iself to only access and interact with the resources it needs (Configuration, database and network) and nothing else.
Linux
Linux have a wide variety of options to enable a process isolation:
Apparmor&SELinux
These are external access control that requires a policy. Cuprate process have no involvements in setting up these access controls methods. An example Apparmor/SELinux policy could be maintained if wished.
SUID helper
Some software have historically made great use of SUID binary to setup new chroot and other kernel namespaces to sandbox their application. This is bad for security:
Additional options
yama_ptracecould apparently be used to mitigate compromised processes from inspecting other processes memory (of the same user).Windows
The only available option is using built-in permissions system in Windows API. See Chromium Windows sandbox architecture
MacOS
There is an available API for Swift and Objective-C program to enable a permission sandbox. However, whether this can be used by other programming languages is unknown.