[Dnsmasq-discuss] [PATCH] implemented sandbox
Loganaden Velvindron
loganaden at gmail.com
Tue Sep 5 12:09:34 BST 2017
On Tue, Sep 5, 2017 at 2:32 PM, Denis Solonkov <solonkovda at google.com> wrote:
> Hi Simon,
>
>
> As part of my Google summer internship project I have implemented a sandbox
> for dnsmasq, based on Linux seccomp-bpf and mount namespace, with tests and
> documentation.
>
> Such sandbox provides defense in depth to dnsmasq, by restricting what files
> it can access and which syscalls it can make, in case remote code execution
> vulnerabilities are discovered in dnsmasq.
>
> Would you be interested in reviewing my patches and maybe integrate them in
> dnsmasq?
>
> Please find attached my patch against master head, but let me know if there
> is another way for us to review and discuss the change.
>
>
The project is interesting. May I suggest looking into privilege
separation such as what OpenBSD has been doing before applying the
sandbox ?
http://quigon.bsws.de/papers/aalborg2009/mgp00043.html
Also, maybe look at unbound, which has a privilege separation design as well.
Have a look at OpenBSD's imsg framework which is light and easy to port:
http://man.openbsd.org/imsg_init
More information about the Dnsmasq-discuss
mailing list