Plash's chroot+setuid jail

Plash uses a chroot+setuid jail to take away authority from a sandboxed process. A program is launched inside the jail using the run-as-anonymous helper program, which is a setuid root executable (located under /usr/lib/plash). run-as-anonymous is available to all users to use.

There are two aspects to the jail:

chroot jailing

The chroot() system call is used to set the process's root directory.

This denies the process access to the rest of the filesystem.

Contents of the jail directory:

The jail is located at "/var/lib/plash-chroot-jail". It is located under /var rather than /usr to satisfy the FHS and Debian policy, because the plash-uid-locks directory must be writable (a consequence of having nested sandboxes). However, it is unusual for /var to contain executables, and it might be mounted with the "noexec" flag on some systems.

Note that chroot() can only be used by root. This is a consequence of setuid executables.

setuid jailing

run-as-anonymous allocates an unused user ID, and uses setuid(), setgid(), etc.

This denies the process the ability to send signals to processes outside the sandbox and to attach to them using ptrace() (which is a way of taking over a process).

run-as-anonymous uses the "plash-uid-locks" directory to keep track of what UIDs have been allocated. This directory is located inside the jail so that run-as-anonymous can be run inside the jail, allowing nested sandboxes.

Reclaiming unused UIDs

This is done by gc-uid-locks (in /usr/lib/plash).

Limitations

The current system based on chroot+setuid has a number of limitations:

PtraceJail is planned as a replacement/alternative mechanism.

ChrootSetuidJail (last edited 2007-02-04 17:39:28 by MarkSeaborn)