User sandbox with DSSP5 for Fedora - DefenSec/dssp5 Wiki

Original URL: https://github.com/DefenSec/dssp5/wiki/User-sandbox-with-DSSP5-for-Fedora
echo "alias sandbox='systemd-run --user --quiet --collect --pipe -p SELinuxContext=$(secon -u):$(secon -r):user.sandbox.subj:s0" > ~/.bashrc.d/sandbox.conf
source ~/.bashrc.d/sandbox.conf

The user.sandbox.subj domain is a sub-set of the user.subj domain. There is a type bounds rule that helps to ensure that the permissions associated with user.sandbox.subj never exceed that of the permissions associated with user.subj.

Unlike the user.subj shell domain the user.sandbox.subj domain is not allowed to transition elsewhere and is currently allowed to only execute generic commands, scripts and shells but that may change in the future. The domain has no access to user content files, except for files associated with either type exec.home.file or lib.home.file usually located in either ~/.local/bin or ~/.local/lib, unless a file descriptor is inherited and only if it is a generic file but that may change in the future as well.

The domain is very strict but you should be able to use it to execute relatively simple scripts or to open a limited shell to operate in.

Can only see processes in sandboxes:

[[email protected] ~]$ sandbox ps axZ
LABEL                               PID TTY      STAT   TIME COMMAND
-                                  1245 ?        Ss     0:04 /usr/lib/systemd/systemd --user
wheel.id:wheel.role:user.sandbox.subj:s0 1568156 ? Rs   0:00 /usr/bin/ps axZ

No access to read user home directory:

[[email protected] ~]$ sandbox ls
/usr/bin/ls: cannot open directory '.': Permission denied

Except for user scripts and libraries:

[[email protected] ~]$ echo -e '#!/bin/bash\necho "hello world from `id -Z`"' > ~/.local/bin/mytest && chmod +x ~/.local/bin/mytest && sandbox ~/.local/bin/mytest
hello world from wheel.id:wheel.role:user.sandbox.subj:s0

Can only read user.home.file if file descriptor is inherited:

[[email protected] ~]$ echo -e 'one\ntwo\nthree\n' > ~/mytest
[[email protected] ~]$ sandbox grep three ~/mytest
/usr/bin/grep: /home/kcinimod/mytest: Permission denied
[[email protected] ~]$ sandbox grep three <~/mytest
three

Can write user.tmp.file if file descriptor is inherited:

[[email protected] ~]$ echo -e 'one\ntwo\nthree\n' > /tmp/mytest
[[email protected] ~]$ sandbox cat /tmp/mytest
/usr/bin/cat: /tmp/mytest: Permission denied
[[email protected] ~]$ sandbox sh -c 'echo four' >>/tmp/mytest
[[email protected] ~]$ cat /tmp/mytest
one
two
three
four

Open a shell in sandbox:

[[email protected] ~]$ sandbox -S
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
bash: /home/kcinimod/.bashrc: Permission denied
bash-5.1$

DSSP5 would not be DSSP5 if it did not provide an easy way to create custom sandboxes. Create a new sandbox type called othersandbox.subj based off of user.sandbox.subj that in addition has permission to read ~/.bashrc:

[[email protected] ~]$ echo '(in wheel (call .othersandbox.role (role)))(in user (call .othersandbox.tmp.manage_file_file
s (subj))(call .othersandbox.tmp.relabel_file_files (subj))(call .othersandbox.role (role)))(block othersandbox (blocki
nherit .user.sandbox.agent.template)(call .shellrc.home.read_file_files (subj))) ;; can read shellrc.home.file files' >
 othersandbox.cil && sudo semodule -i othersandbox.cil
libsemanage.get_home_dirs: Error while fetching users.  Returning list so far.
[[email protected] ~]$ systemd-run --user --quiet --collect --pipe -p SELinuxContext=$(secon -u):$(secon -r):othersandbox
.subj:s0 -S
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
[[email protected] ~]$ id
uid=1000(kcinimod) gid=1000(kcinimod) groups=1000(kcinimod),10(wheel) context=wheel.id:wheel.role:othersandbox.subj:s0
[[email protected] ~]$ ls
ls: cannot open directory '.': Permission denied