App::EvalServerAdvanced - A more featured update to App::EvalServer

This is a complete redesign and rewrite of the original code behind App::EvalServer.

This code is only BETA quality at best. See the USE section below for more information.

Features over App::EvalServer

Use of Linux namespaces.

The chroot is accompanied by a private mounted tmpfs filesystem. This allows a safe writable /tmp that won't be seen by anyone else. The evaluated code is placed in it's own PID space. This helps prevent it from sending signals to anything else that might be running.

Use of Seccomp

More featureful sandboxing with Seccomp rules. This helps prevent anything running from issuing any potentially dangerous system calls.

Formal network protocol.

You can send multiple requests per connection, and wait on them asynchronously. This helps enable better scheduling and handling of batch actions, and allows you to cancel inflight requests. This also allows the cancelling, by the client, of a long running job while it's running.

You're going to want to review at least the source of App::EvalServerAdvanced::Sandbox and App::EvalServerAdvanced::Seccomp. These two modules are responsible for most of the security features of the whole system. Familiarity with them is HIGHLY recommended.

Included in this dist is a command esa-makesandbox that will create a skeleton for a sandbox for you with my opinionated recommendations.

This system exercises a series of defense in depth measures. However they are not perfect. If a kernel level exploit exists to get higher privileges (Dirty COW is a good example), it could be used to write to any bind mounted directory.

My recommendations for extra protection are to use a copy of a running system in the sandbox, and not actually use the /lib64 directories from the existing system. This wouldn't prevent someone from leaving something behind, but would prevent it from being accessed accidentally from the original system.

Take a look at something like debootstrap to create a skeleton debian based system to use in the sandbox.

There is none. You use this at your own risk. It is opinionated about what is secure, but it probably isn't secure. This software will result in the hacking of everyone around you.

Create some kind of pluggable system for specifiying additional Seccomp rules

Create another pluggable system for extending App::EvalServer::Sandbox::Internal with additional subs

Finish enabling full configuration of the sandbox without having to edit any code

App::EvalServerAdvanced::REPL, App::EvalServerAdvanced::Protocol

Ryan Voots <[email protected]>