By Kenton Varda - 03 Jul 2014
We have a bunch of updates for you today.
We’ve ported a number of interesting apps to Sandstorm and will begin releasing them within the next few days. First up will be Mailpile – yes, e-mail in Sandstorm! Expect a full announcement on Monday, and other app announcements over the following days and weeks.
The Sandstorm team is no longer just me. I’d like to introduce all the new faces that you now see on our front page:
We also have a couple of key advisors. These guys are contributing advice, resouces, and the occasional patch in their spare time; Sandstorm is not affiliated with their respective employers.
Jason has implemented the ability to back up and restore grains (app instances) from you Sandstorm server. Just click the new download icon on the top bar when viewing a grain. You will get a zip file containing the grain’s storage, which you can re-upload to the server (or to a different server) later on.
Sandstorm can now be installed and run without root privileges or setuid binaries. To accomplish this, we use Linux’s “UID namespaces” feature, which essentially allows other sandboxing features to be accessed by an unprivileged user.
Unfortunately, if you are developing Sandstorm apps, it is still necessary to install Sandstorm with root privileges because the dev tools rely on FUSE and FUSE filesystems cannot currently be mounted inside UID namespaces. We hope the Linux kernel will eventually add this feature.
Due to the use of UID namespaces, Sandstorm now requires Linux kernel version 3.13 or better. The installer will verify that you are ready to run Sandstorm.
Thanks to Andy for contributing much of the work on this.
We’ve now enabled a basic seccomp filter to disable some dangerous system calls. Seccomp is a Linux feature that makes sandboxing more secure by disabling system calls (OS features) that apps don’t need. A typical web server uses only a tiny fraction of Linux’s system calls. By disabling the rest, we make sure that if a kernel exploit is found in one of them, it won’t allow an app to escape its sandbox.
For now, we’ve disabled a few calls that provide complicated functionality that has been the subjects of vulnerabilities in the past, and that no web server rightly needs. We plan to expand on this in the future, eventually implementing a small whitelist and probably moving many system calls to userspace. All of this will be totally transparent to apps.
Again, thanks to Andy for getting this started.
Linux Weekly News wrote about Sandstorm last week!