Sandbox without networking

Quite for a while now the ability to access the network is a privilege in Solaris and nothing that you have always the right to do so, like the privilege to export things in the United States. In Oracle Solaris 11.4 it got real easy to run applications in such a environment when you know your application should never ever use networking, you can jail it in a sanbox. Without further options you have the privilege to use the network.

root@batou:~# sandbox "ssh jmoekamp@192.168.31.225"
Password: 


However if you start the sandbox with the -n option, a command run inside the sandbox don’t have the permission to do so:

root@batou:~# sandbox -n "ssh jmoekamp@192.168.31.225"
socket: Permission denied
ssh: connect to host 192.168.31.225 port 22: failure
root@batou:~#


The difference between both command is the set of privileges that is given to the processes inside the sandboxes.

root@batou:~# sandbox -n "bash"
root@batou:~# ppriv $$
1335:   bash
flags = PRIV_AWARE|PRIV_XPOLICY
        Extended policies:
                {proc_exec}:/root/<strong>
                {proc_exec}:/usr/</strong>
        E: basic,!net_access,!proc_exec,!proc_info,!proc_session
        I: basic,!net_access,!proc_exec,!proc_info,!proc_session
        P: basic,!net_access,!proc_exec,!proc_info,!proc_session
        L: basic


The privilege to access the network has been explicitly removed by the !net_access. A sandbox without the -n doesn’t have this limitation, thus you can use the network.

root@batou:~# sandbox "bash"
root@batou:~# ppriv $$
1337:   bash
flags = PRIV_AWARE|PRIV_XPOLICY
        Extended policies:
                {proc_exec}:/root/<strong>
                {proc_exec}:/usr/</strong>
        E: basic,!proc_exec,!proc_info,!proc_session
        I: basic,!proc_exec,!proc_info,!proc_session
        P: basic,!proc_exec,!proc_info,!proc_session
        L: basic


By the way: I used the root user to show that this limitation is even in place for processes running with root or root-eqivalent privileges.