Geal
commented
7 years ago In gitlab by @Geal on Jul 25, 2016, 12:55
Changed title: inv{-a-}estigate sandboxing → investigate sandboxing
Open Geal opened 7 years ago
Geal
commented
7 years ago In gitlab by @Geal on Jul 25, 2016, 12:55
Changed title: inv{-a-}estigate sandboxing → investigate sandboxing
pantsman0
commented
7 years ago no filesystem access
This is a bit hard, you can use jails on BSD, but the solution for this on linux would probably be SELinux.
Geal
commented
7 years ago @pantsman0 if you know how to achieve this, would you like to contribute a good SELinux policy for sozu?
pantsman0
commented
7 years ago I'll give it a go over the next week, and if it works I'll add it to PR 181.
SELinux isn't an easy thing to learn, and I've not really delved into it. For SystemD, I've written a simple service file, but it doesn't have resource limits defined.
pantsman0
commented
7 years ago I've built a preliminary selinux policy, and attached it to PR 181. It still needs testing, as I've only built it through rpmbuild, and I haven't tested it in proper networking evironments.
In gitlab by @Geal on Jul 25, 2016, 12:55
the servo project uses https://github.com/servo/gaol and https://github.com/servo/ipc-channel to communicate between the broker and the worker processes.
We could have the main process handle configuration by file system access, and restrict capabilities of the proxy processes (by moving to a multiprocess architecture) as such:
investigate systemd cgroups to limit CPU and RAM usage as well?