NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 2007-08

Jailed X applications

From: mal content (artifact.onegooglemail.com)
Date: Fri Aug 17 2007 - 00:10:39 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

Has anyone here ever successfully set up a jail for X apps, connecting
to an external X server? I'm trying an experimental sandbox setup here.
I have a jail running on an aliased IP on my local machine and X
programs connect out of the jail to my local X server via an SSH
tunneled TCP connection. All other packets to and from the jail are
denied by the packet filter. The trouble I am having is that many
applications (all X apps so far and a few of the SSH tools) try to open
and read from /dev/tty, which clearly isn't going to happen:

96950 xterm RET sigprocmask 0
96950 xterm CALL open(0x807bdfc,0x2,0xbfbfe458)
96950 xterm NAMI "/dev/tty"
96950 xterm RET open -1 errno 16 Device busy
96950 xterm CALL setitimer(0,0xbfbfe380,0xbfbfe370)
96950 xterm RET setitimer 0
96950 xterm CALL sigaction(0xe,0xbfbfe360,0xbfbfe340)
96950 xterm RET sigaction 0
96950 xterm CALL write(0x2,0xbfbfdd70,0x1b)
96950 xterm GIO fd 2 wrote 27 bytes
       "xterm: Error 14, errno 16: "
96950 xterm RET write 27/0x1b
96950 xterm CALL write(0x2,0xbfbfdd80,0xc)
96950 xterm GIO fd 2 wrote 12 bytes
       "Device busy
       "
96950 xterm RET write 12/0xc
96950 xterm CALL write(0x2,0xbfbfdd80,0x29)
96950 xterm GIO fd 2 wrote 41 bytes
       "Reason: spawn: open() failed on /dev/tty
       "
96950 xterm RET write 41/0x29
96950 xterm CALL close(0)
96950 xterm RET close 0
96950 xterm CALL chown(0x808f000,0,0)

I am seeing successful connections from the jail to my X server,
a white window is drawn where the X client will be spawned but this
flashes out of existence as soon as the above error is encountered.

<wishful thinking>
I'd love a TrustedBSD based sandboxing tool.
</wishful thinking>

Any ideas would be appreciated.
MC
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]