Date: Sun, 9 Jun 2013 00:33:46 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: freebsd-security@FreeBSD.org Cc: brooks@FreeBSD.org Subject: Request for review: Sandboxing dhclient using Capsicum. Message-ID: <20130608223346.GA2468@garage.freebsd.pl>
next in thread | raw e-mail | index | archive | help
--cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. I have a series of patches to sandbox dhclient using Capsicum (capability mode and capability rights for descriptors). As usual, because chroot and setgid/setuid are not sandboxing mechanisms, there are many problems with the current sandboxing: - Access to various global namespaces (like process list, network, etc.). - Access to RAW UDP socket. - Read/write access to bpf. - Access to RAW route socket, which means it can delete, modify or add static routes as it pleases. After the changes RAW route socket is limited to reading only, write-only bpf descriptor and RAW UDP sockets are moved to privileged process and eventhough unprivileged process controls destination addresses still, it cannot change port for example. There is no access to global namespaces anymore. All descriptors used by unprivileged process are limited using capability rights (just in case, not really crucial): - Descriptor to lease file allows for overwrite only, but doesn't allow for other stuff, like reading, fchmod, etc. - Descriptor to pidfile has no rights, it is just being kept open. - STDIN descriptor has no rights. - STDOUT and STDERR descriptors are limited to write only. The patches are here. Every change has individual description: http://people.freebsd.org/~pjd/patches/dhclient_capsicum.patches I'd appreciate any review, especially security audit of the proposed changes. The new and most critical function is probably send_packet_priv(). --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlGzsUoACgkQForvXbEpPzSZtwCbBfqaVjVF5ZOziEHeAGDXltGt KpEAoNOLgRpOFGYh7gz33Gi2lHbNZV3U =l7P5 -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130608223346.GA2468>