sozu-proxy
investigate sandboxing
In gitlab by @Geal on Jul 25, 2016, 12:55
the servo project uses https://github.com/servo/gaol and https://github.com/servo/ipc-channel to communicate between the broker and the worker processes.
We could have the main process handle configuration by file system access, and restrict capabilities of the proxy processes (by moving to a multiprocess architecture) as such:
- no filesystem access
- the proxy can bind on specified input socket (generally, 80 and 443 ports)
- the proxy can open outbound connections to a specified IP range
- the proxy cannot open named pipes, create other processes, etc
investigate systemd cgroups to limit CPU and RAM usage as well?
In gitlab by @Geal on Jul 25, 2016, 12:55
Changed title: inv{-a-}estigate sandboxing → investigate sandboxing
no filesystem access
This is a bit hard, you can use jails on BSD, but the solution for this on linux would probably be SELinux.
@pantsman0 if you know how to achieve this, would you like to contribute a good SELinux policy for sozu?
I'll give it a go over the next week, and if it works I'll add it to PR 181.
SELinux isn't an easy thing to learn, and I've not really delved into it. For SystemD, I've written a simple service file, but it doesn't have resource limits defined.
I've built a preliminary selinux policy, and attached it to PR 181. It still needs testing, as I've only built it through rpmbuild, and I haven't tested it in proper networking evironments.