Update on desktop application sandboxing

So on Saturday I blogged about a piece of code I wrote to easily create containers on a recent Linux desktop. I have now spent a few more hours improving the code a bit with two main new features:

  • Support for turning on/off network access
  • Support for mounting /home as aufs too

sandbox help

The on/off switch for network access is done by putting (or not) the spawned shell in another network namespace. This means that if network is disabled for the container, the software running in the container will only see a loopback device. This loopback device itself is separate from the one available outside the container, so a contained software won’t be able to access anything that listens on the loopback interface outside of the container.

I also switched to creating a “mount” directory that’s a tmpfs and which in turn contains the various mount points for the container. This workarounds the fact that you can’t mount an aufs filesystem in a sub-directory of its base filesystem (or it’d create a loop).

I updated the README in the branch accordingly and added basic getopt support for the two options.

Code can be found in a bzr branch: bzr get lp:~stgraber/+junk/sandbox
Or from: https://code.launchpad.net/~stgraber/+junk/sandbox

Posted in Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged | Leave a comment

Desktop application sandboxing with containers

Last weekend, I spent a bit of time improving a set of scripts I developed while at the Ubuntu Developer Summit in Orlando.

This script, now a small C program, is a proof of concept of desktop application container/sandbox using the same kernel features as LXC (a set of tools to manage containers on Linux) uses.
It basically does the following:

  • Mount your / in a copy-on-write directory using aufs.
  • Mount-bind your /home inside the copy-on-write environment.
  • Switch to another UTS, “””PID” ” ” , IPC and NS context (keeping current network namespace)
  • Mount a new /proc in the copy-on-write environment
  • Chroot to the copy-on-write environment and switch user to your current user

At this point, the user will be in what looks like their home directory, though “ps” will only show a single process making it impossible to list or trace any process running outside this environment. Any change happening on the file system (outside of /home) will be recorded in a “cow” directory and be lost whenever the user exists the chroot.

Sandbox screenshot

This can be used to install an untrusted application in the chroot, test it, see exactly what it’s modifying on the filesystem without much risk for your actual system.

Current (known) limitations are:

  • A GUI application will still be able to listen to events from any other X client (including key strokes)
  • Change within /home aren’t stored in the copy-on-write as it’s bind-mounted.
  • aufs doesn’t let you mount / in copy-on-write mode inside a directory that’s itself on / (to avoid loops), that’s why the current code requires a separate /home which will be bind-mounted (looking forward to btrfs for this).
  • Running something as root in the container isn’t perfectly secure as access to /proc and /sys aren’t filtered. Though, it’s still a big improvement vs running the software directly on your system.
  • The code is a proof of concept so it’s not meant for any serious usage, feel free to look at it, improve and propose patches 🙂

You can grab the code with bzr: bzr get lp:~stgraber/+junk/sandbox
or directly on Launchpad: https://code.launchpad.net/~stgraber/+junk/sandbox

Posted in Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged | 6 Comments

Switched to wordpress (again)

So, after almost 3 years running Drupal 6 for my blog, I switched back to WordPress.

It just feels a lot easier to blog with it. I still really enjoy Drupal and use it for a lot of projects. It just wasn’t the best fit for my blog at this time.

My biggest issue with WordPress was its lack of official PostgreSQL support which was a bit of an issue as I’m avoiding MySQL as much as possible. After some poking at it, I actually managed to get PG4WP to work on a recent WordPress installation.

To make the transition as seamless as possible I also wrote a Python script which takes all Drupal “stories” and convert them into WordPress “posts”. It also handles categories and comments (including threading). It’s a bit hackish and could certainly be made a lot faster by reducing the number of queries.
Code can be found on Launchpad here: drupal2wordpress

So now, everything is imported in an all new WordPress instance, URLs should be mostly compatible. Now, back to blogging!

Posted in Planet Revolution-Linux, Planet Ubuntu | Tagged | 3 Comments

A week in Orlando (Ubuntu Developer Summit – Natty Narwhal)

Currently flying from Orlando, FL where I had an awesome Ubuntu Developer Summit I wanted to quickly share what happened this week.

Ubuntu and Linaro banners

I had the chance of being able to participate in plenty of very different and interesting sessions over the week.

Here’s a quick overview of my interests for the Natty development cycle.

Edubuntu
I received a LOT of feedback regarding Edubuntu. There was a lot interest for Edubuntu WebLive.
I gave a plenary on Tuesday about what’s Edubuntu, why we are doing it and what are our plans for Natty as well as announce the availability of daily Edubuntu builds on WebLive.
For Natty we mostly plan on growing our user community and getting more feedback from. Our installation process should be a lot faster and let the user choose what kind of education software he wants.
We also reviewed around 20 new applications, most of them are already available in Edubuntu in Natty, two will need to be packaged.

Containers
For this UDS, we were lucky to have Daniel Lezcano from LXC attending.
So we had a few very interesting sessions on what needs to be done to get LXC to the point where it can be used as a replacement of OpenVZ.
We also discussed how we could use containers and similar technologies on ARM and on a regular desktop as a way to sandbox applications.

Desktop in the cloud
Following my demo of Edubuntu WebLive during Tuesday’s plenary, we had two cloud track related to it.
One on how to let users test Ubuntu (awstrial) and another on the Desktop in the Cloud image. We discussed the various technologies available for remote desktop and will try to get an official desktop in the cloud image for Natty.

Community
Being an Application Review Board member, I attended the 3 sessions on the topic. We discussed the application review process as well as the technical implementation and the current limitations the ARB noticed. We should soon have a clear process for reviewing new applications and will be able to start getting new applications in Ubuntu 10.10’s extra repository.

It was really great seeing everyone, discussing and working together this week. I’m now flying to Bangor, ME for the yearly LTSP by the sea meeting, then driving back to Sherbrooke, QC to start implementing everything we discussed!

See you all in Budapest next year!

Posted in Conferences, Edubuntu, LXC, Planet Revolution-Linux, Planet Ubuntu | 1 Comment

Edubuntu WebLive now features Edubuntu 11.04 daily builds

A bit over a week ago I announced Edubuntu WebLive, probably the easiest way to test Edubuntu from any computer (Linux, MacOS, Solaris and Windows) running Java.

Yesterday during the Edubuntu plenary at the Ubuntu Developer Summit I announced that you can now try the latest development release from WebLive.

weblive logo

Just go on our website and select “Edubuntu 11.04 (development release)”. Then try the all latest features, check if your bugs have been fixed or look for regressions. As with the production server, you have two hours to test it.

So far, close to 4000 users tried Edubuntu using WebLive!

Posted in Edubuntu, Planet Revolution-Linux, Planet Ubuntu | Leave a comment