From owner-freebsd-security@FreeBSD.ORG Sun May 29 14:02:20 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 272AA16A41C; Sun, 29 May 2005 14:02:20 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [204.156.12.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id C220843D53; Sun, 29 May 2005 14:02:19 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by cyrus.watson.org (Postfix) with ESMTP id C3D1646B4B; Sun, 29 May 2005 10:02:18 -0400 (EDT) Date: Sun, 29 May 2005 15:02:37 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Pawel Jakub Dawidek In-Reply-To: <20050524011322.GI837@darkness.comp.waw.pl> Message-ID: <20050529145922.T52379@fledge.watson.org> References: <20050524011322.GI837@darkness.comp.waw.pl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@FreeBSD.org, Samy Al Bahra Subject: Re: Jail support for mac_portacl(4). X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 May 2005 14:02:20 -0000 On Tue, 24 May 2005, Pawel Jakub Dawidek wrote: > This patch gives another option, so one don't need to use firewall for > this purpose. It adds new idtype - 'jid'. With this patch, one can > configure that jail with the given JID can use only defined ports: > > # sysctl security.mac.portacl.rules="jid:1:tcp:80" > > Patch is here: > > http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch > > Any objections? This sounds fine to me, especially since it doesn't break forwards compatibility from older mac_portacl rule sets. However, I've CC'd Samy Al Bahra, who has a set of outstanding mac_portacl patches that are similar, and might have some comments on your proposed changes. My primary concern with his changes was that they changed the syntax in a way that broke backwards compatibility to older defined rules; on the other hand, his version of the changes allowed further scoping of things like "user id 80 in jail 20 can bind port 80", whereas the above supports a single layer of scoping. Robert N M Watson From owner-freebsd-security@FreeBSD.ORG Sun May 29 14:21:09 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4890116A41C; Sun, 29 May 2005 14:21:09 +0000 (GMT) (envelope-from samy@kerneled.org) Received: from perseus.interservers.com (perseus.interservers.com [65.202.242.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01ED343D1F; Sun, 29 May 2005 14:21:06 +0000 (GMT) (envelope-from samy@kerneled.org) Received: from [212.76.82.129] (helo=localhost.localdomain) by perseus.interservers.com with esmtps (TLSv1:RC4-MD5:128) (Exim 4.43) id 1DcOf4-0002tI-PZ; Sun, 29 May 2005 10:21:07 -0400 From: Samy Al Bahra To: Robert Watson In-Reply-To: <20050529145922.T52379@fledge.watson.org> References: <20050524011322.GI837@darkness.comp.waw.pl> <20050529145922.T52379@fledge.watson.org> Content-Type: text/plain Organization: Kerneled.org Date: Sun, 29 May 2005 17:21:03 +0300 Message-Id: <1117376463.2131.14.camel@jee.workstation.local> Mime-Version: 1.0 X-Mailer: Evolution 2.2.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - perseus.interservers.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - kerneled.org X-Source: X-Source-Args: X-Source-Dir: X-Mailman-Approved-At: Mon, 30 May 2005 12:01:38 +0000 Cc: freebsd-security@FreeBSD.org, Pawel Jakub Dawidek Subject: Re: Jail support for mac_portacl(4). X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 May 2005 14:21:09 -0000 On Sun, 2005-05-29 at 15:02 +0100, Robert Watson wrote: > On Tue, 24 May 2005, Pawel Jakub Dawidek wrote: > > > This patch gives another option, so one don't need to use firewall for > > this purpose. It adds new idtype - 'jid'. With this patch, one can > > configure that jail with the given JID can use only defined ports: > > > > # sysctl security.mac.portacl.rules="jid:1:tcp:80" > > > > Patch is here: > > > > http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch > > > > Any objections? > > This sounds fine to me, especially since it doesn't break forwards > compatibility from older mac_portacl rule sets. > > However, I've CC'd Samy Al Bahra, who has a set of outstanding mac_portacl > patches that are similar, and might have some comments on your proposed > changes. My primary concern with his changes was that they changed the > syntax in a way that broke backwards compatibility to older defined rules; That was fixed. I think pjd@'s syntax changes are not that flexible (and well, as useful). Please take a look at http://samy.kerneled.org/patches/portacl.patch Support for an "add" and "none" keyword was added as well (except for the uid/gid field). This is copy I sent to Robert a couple of months ago. If pjd@ wishes, he can modify this patch to his style and apply the "all" keyword to the uid/gid identifier in order to bind all processes in a jail to a rule (if he wishes). Thanks. -- Samy Al Bahra |------- http://samy.kerneled.org |------- http://www.FreeBSD.org '------- http://www.arabeyes.org