Running an untrusted application on Linux in a sandbox

Question

We have a device running Linux and we need to run untrusted applications on this. We are trying to alleviate the following security concerns -

1. The untrusted application should not be able to adversely affect the core OS data and binaries
2. The untrusted application should not be able to adversely affect another application's data and binaries
3. The untrusted application should not be able consume excessive CPU, memory or disk and cause a DoS/resource starvation like situation to the core OS or the other applications

From the untrusted application standpoint, it only needs to be able to read and write to its own directory and maybe the mounted USB drive

We are thinking of using one of the following approaches -

Approach 1 - Use SELinux as a sandbox

• Is this possible? I have read a bit of SELinux and it looks a bit complicated in terms of setting up a policy file and enforcing it at runtime etc. Can SELinux do this and restrict the untrusted application to just read/write its own directory and also be able to set quota limits?

Approach 2 - Create a new sandbox on our own

• During install time

  • Create a new app user for each untrusted application
  • Stamp the entire application directory and files with permissions so that only the application user can read and write
  • Set quotas for the application user using ulimit/quota

• During run time, launch the untrusted application using

  • Close all open file descriptors/handles
  • Use chroot to set the root to the application directory
  • Launch the application under the context of the application user

Thoughts on the above? Which approach is more secure than the other? Is there another approach that might work out better? We do not have a choice to move Android due to some reasons so we cannot use the sandboxing features that Android provides natively...

Let me know

Thanks,

Answer 1

The SELinux is a set of rules that are applies a bit similar as user rights even more complex. You can use it for each process to set a domain of that process and allow or deny nearly any access. It means access to files, network or processes/threads. That way it can be used as a kind of sandbox. However you have to prepare a rule set for each process or you can make a script that has to be run before sandboxed application to prepare rules itself.

If you want to take control on CPUs consumption, the SELinux has not a CPU planner because any rules have just one of two logical results 'allow' or 'deny' access. I recommend you 'cgroups' to control CPUs consumption.