minijail threat model, ld_preload and T=static

[John Smith]

Greetings.

I seek some clarification.

minijail in general assumes the threat model where an executable is initially trusted but can be exploited and become untrusted. That is my understanding after seeing LD_PRELOAD being used.

However in the event that one wishes to assume the executable itself is of minimal trustworthiness, would it be correct to be using T=static and assume that you get the same level of security as other sandboxing applications such as bubblewrap,nsjail,etc?

Additionally, my understanding behind the rationale for using LD_PRELOAD is the ability to more accurately target system calls for seccomp (forbid syscalls used by a libc after they are used at the start) and not having to use ambient capabilities. Are there any other benefits that arise?

Thank you.

[Jorge Lucangeli Obes]

On Tue, Sep 8, 2020 at 8:57 AM John Smith <ding...@gmail.com> wrote:

Greetings.

I seek some clarification.

minijail in general assumes the threat model where an executable is initially trusted but can be exploited and become untrusted. That is my understanding after seeing LD_PRELOAD being used.

Correct.

 

However in the event that one wishes to assume the executable itself is of minimal trustworthiness, would it be correct to be using T=static and assume that you get the same level of security as other sandboxing applications such as bubblewrap,nsjail,etc?

I wouldn't use the phrase "the same level of security" in the abstract, since this will actually depend on which configuration options one applies, but from the perspective of your question the answer is yes, using -T=static will have all the selected sandboxing measures applied before execve(2) on the executable is called.

 

Additionally, my understanding behind the rationale for using LD_PRELOAD is the ability to more accurately target system calls for seccomp (forbid syscalls used by a libc after they are used at the start) and not having to use ambient capabilities. Are there any other benefits that arise?

Those are the main two. And realistically I don't know why one would avoid using ambient capabilities, so from my perspective the seccomp angle is the main one.

Cheers,

Jorge

 

Thank you.

--
You received this message because you are subscribed to the Google Groups "minijail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to minijail+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/minijail/6e522f4d-3a2b-437b-8612-e466523fb187n%40chromium.org.