[sf-lug] chroot(2): Re: Sandboxing Zoom (etc.)

Akkana Peck akkana at shallowsky.com
Sat Jun 13 09:40:05 PDT 2020 

I wrote:
> > https://github.com/akkana/scripts/blob/master/dirsneeded.py

Michael Paoli writes:
> Cool.  Could even potentially build upon that with additional
> programs/programming and/or options.  E.g.:

Great list!
Some, I think, are outside the domain of this script and more
part of an extensive test plan that could incorporate other scripts.
But I'll definitely add at least some of them, like:

>   o for anything where access attempt is made in chroot and fails,
>     at least by default, only consider it something to possibly be added
>     to chroot if that something exists outside the chroot

Right! I should also note if it failed in the non-chroot.

>   o for all opens and the like, track if it's opened for read, or
>     write/append, or both, and furthermore also track if it's only
>     read, or only written / appended to
>   o track directories accessed, and if merely accessed, or if also
>     read.  Likewise, divide and conquer, do any tests fail if read
>     access is removed, likewise to then have x removed, or directory
>     removed.

I'll definitely add those, excellent points!

> Maybe out there somewhere, there's already software that handles much or
> all of this?

You'd think! But last time I googled on setting up a chroot I
didn't find much about how to figure out what needs to be in it.
Which doesn't mean it doesn't exist, of course.

The teams who develop apps like docker, firejail, snap etc. surely
must have some way of testing this sort of thing. I haven't tried
looking at those projects' testing frameworks.

> Could also have option to, rather than go for tightest security, go for
> "most like non-chroot" - bringing into chroot all it tries to access
> that exists outside chroot - and with all the same ownerships,
> permissions, etc., and not trying to minimize stuff in, e.g.

When I first started writing the script, my plan was to find the
minimal set of directories needed, e.g. if it accesses
/usr/lib/foo.so and /usr/lib/bar.so then just list /usr/lib. I did
some interesting reading about the Longest Common Substring Problem
before realizing my plan was stupid: the limit of this logic is
"always include everything under /". So now it lists all the files
and the user can decide what to include in the chroot.

        ...Akkana

More information about the sf-lug mailing list