Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 9 Jun 2013 00:33:46 +0200
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        freebsd-security@FreeBSD.org
Cc:        brooks@FreeBSD.org
Subject:   Request for review: Sandboxing dhclient using Capsicum.
Message-ID:  <20130608223346.GA2468@garage.freebsd.pl>
next in thread | raw e-mail | index | archive | help 

--cNdxnHkX5QqsyA0e
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi.

I have a series of patches to sandbox dhclient using Capsicum
(capability mode and capability rights for descriptors).

As usual, because chroot and setgid/setuid are not sandboxing
mechanisms, there are many problems with the current sandboxing:
- Access to various global namespaces (like process list, network, etc.).
- Access to RAW UDP socket.
- Read/write access to bpf.
- Access to RAW route socket, which means it can delete, modify or add
  static routes as it pleases.

After the changes RAW route socket is limited to reading only,
write-only bpf descriptor and RAW UDP sockets are moved to privileged
process and eventhough unprivileged process controls destination
addresses still, it cannot change port for example. There is no access
to global namespaces anymore. All descriptors used by unprivileged
process are limited using capability rights (just in case, not really
crucial):
- Descriptor to lease file allows for overwrite only, but doesn't allow
  for other stuff, like reading, fchmod, etc.
- Descriptor to pidfile has no rights, it is just being kept open.
- STDIN descriptor has no rights.
- STDOUT and STDERR descriptors are limited to write only.

The patches are here. Every change has individual description:

	http://people.freebsd.org/~pjd/patches/dhclient_capsicum.patches

I'd appreciate any review, especially security audit of the proposed
changes. The new and most critical function is probably send_packet_priv().

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://mobter.com

--cNdxnHkX5QqsyA0e
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (FreeBSD)

iEYEARECAAYFAlGzsUoACgkQForvXbEpPzSZtwCbBfqaVjVF5ZOziEHeAGDXltGt
KpEAoNOLgRpOFGYh7gz33Gi2lHbNZV3U
=l7P5
-----END PGP SIGNATURE-----

--cNdxnHkX5QqsyA0e--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130608223346.GA2468>