Skype, for example, can be run inside a container [1], allowing you to use it while hiding the rest of your system from the obfuscated and traffic-encrypted binary which no one knows what it does to your system.
It uses X11 forwarding for the GUI, and PulseAudio for the sound.
I'll note that X11 has practically no security and that windows can read contents from other windows, if you happen to be worried about that attack. Essentially, anything that is displayed can be read by anything.
You'd need some form of "X11 firewall" to be secure.
The thing that made me finally uninstall it (from everything) is when my phone OS (MIUI) informed me that Skype wanted to suddenly take a photo of me even though I hadn't touched the app for days.
This Skype use case really interests me a lot, as I have to use it professionally and do not trust this application at all and would like to limit it to a bare minimum: microphone, webcam, screen and one single folder for file exchange.
I never tried Docker, but I wonder, if this requirements can be achieved with SeLinux or AppArmor as they are supported by many distributions and are around longer than Docker?
Would be great to be able to tighten the corset around any non open-source application, to make sure it is not siphoning data.
Docker is based on Linux namespaces.
The first thing which comes to mind is that Docker does not use user namespaces. Hence, the root within Docker is the same root as on the host side. Of course Docker papers over the issue by using apparmor and other tricks but this does not cure the issue itself.
Linux containers (LXC, libvirt-lxc, Docker) are shared kernel visualization. Every single kernel vulnerability will hit you hard.
In contrast to LXC and libvirt-lxc Docker lets you configure a lot of insane setups which are not secure. (But easy to setup)
Also keep in mind resource issues. If you setup your container in a wrong way
it my eat all your available file descriptors, all memory, etc...
(Because it is shared kernel)
Let's face it, the whole technology was not designed for sandboxing, more for
easy deployment of applications.
That said, I really love container and use them a lot in production with libvirt-lxc.
But I don't use them for sandboxing.
I use ssh -X [1] since it runs the application as an untrusted client, not able to interact with or manipulate or sniff from other windows. ssh -Y is the trusted equivalent.
Might I assume that the approach in the article gives processes in the container full access to one's X11 session and contents?
While I think this is cool, could someone explain to me why I'd bother using a docker setup over let's say a... traditional VM? And I don't need justification for using containers on a server, that makes sense... on a desktop though something just seems off.
Seems like there's little to gain and a lot to configure/worry about with the Docker setup. Happy to be learned somethin' ... just would like to know what that somethin' is.
* You can run different versions of program side-by-side: FF 32 in one window, and FF 31 in another to test compatibility and regression.
* You can install programs without polluting your base system. I don't want to have Java installed, but sometimes I just need to run an applet.
All of that can be achieved with traditional VM, but with the performance penalty. As Docker runs on top of the native kernel, speed should be comparable to the application running directly on host.
My guesses are speed - not that relevant if you are interacting with an app that is waiting for user input - and memory usage.
In a traditional VM, you have to reserve memory that is used by the guest OS and the apps you want to run, and is unavailable as soon as the VM comes up.
Docker is incredibly lightweight in comparison. Also, you can move your development environment around, same way you would move a VM disk around. That requires less resources, again, as there is no OS install.
Share your X11 socket/cookie, and now everything you input (keyboard/mouse,etc.) is readable by a so called "contained" application; this is not a secure solution, but more of a comfort solution, and it should be used as such.
On a side note, I've been doing this with chroot/debootstrap for years, but lxc/docker provide a nice "engineered" solution.
35 comments
[ 4.2 ms ] story [ 68.4 ms ] threadhttp://zwischenzugs.wordpress.com/2014/05/09/docker-shutit-a...
It uses X11 forwarding for the GUI, and PulseAudio for the sound.
[1] - https://registry.hub.docker.com/u/tomparys/skype/
You'd need some form of "X11 firewall" to be secure.
http://linux.slashdot.org/story/07/08/26/1312256/skype-linux...
The thing that made me finally uninstall it (from everything) is when my phone OS (MIUI) informed me that Skype wanted to suddenly take a photo of me even though I hadn't touched the app for days.
I never tried Docker, but I wonder, if this requirements can be achieved with SeLinux or AppArmor as they are supported by many distributions and are around longer than Docker?
Would be great to be able to tighten the corset around any non open-source application, to make sure it is not siphoning data.
http://blog.bofh.it/debian/id_413
That said the example is not a good one because of the changes applied these days, e.g. the use of the UID on the host-side.
/sys is already mounted and it is read-only, and it cannot be mounted manually:
The /sys is mounted already and reading/writing to it succeeds:
From there the attack works. Obviously the change here is that I need to know the full UID, which is a cheat, but ..Linux containers (LXC, libvirt-lxc, Docker) are shared kernel visualization. Every single kernel vulnerability will hit you hard.
In contrast to LXC and libvirt-lxc Docker lets you configure a lot of insane setups which are not secure. (But easy to setup) Also keep in mind resource issues. If you setup your container in a wrong way it my eat all your available file descriptors, all memory, etc... (Because it is shared kernel)
Let's face it, the whole technology was not designed for sandboxing, more for easy deployment of applications.
That said, I really love container and use them a lot in production with libvirt-lxc. But I don't use them for sandboxing.
Might I assume that the approach in the article gives processes in the container full access to one's X11 session and contents?
[1]: SSH X11 forwarding
PS: I you like Fábio's work, consider tipping him[2] (I already did, with bitcoins! :)
[1]: https://github.com/fgrehm/vagrant-lxc
[2]: https://gratipay.com/fgrehm/
Seems like there's little to gain and a lot to configure/worry about with the Docker setup. Happy to be learned somethin' ... just would like to know what that somethin' is.
* You can run different versions of program side-by-side: FF 32 in one window, and FF 31 in another to test compatibility and regression.
* You can install programs without polluting your base system. I don't want to have Java installed, but sometimes I just need to run an applet.
All of that can be achieved with traditional VM, but with the performance penalty. As Docker runs on top of the native kernel, speed should be comparable to the application running directly on host.
In a traditional VM, you have to reserve memory that is used by the guest OS and the apps you want to run, and is unavailable as soon as the VM comes up.
Docker is incredibly lightweight in comparison. Also, you can move your development environment around, same way you would move a VM disk around. That requires less resources, again, as there is no OS install.
http://l3net.wordpress.com/projects/firejail/
On a side note, I've been doing this with chroot/debootstrap for years, but lxc/docker provide a nice "engineered" solution.