From owner-freebsd-security@FreeBSD.ORG Mon Jun 10 15:18:01 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BCAFC500 for ; Mon, 10 Jun 2013 15:18:01 +0000 (UTC) (envelope-from priit.jarv@gmail.com) Received: from mail-ea0-x234.google.com (mail-ea0-x234.google.com [IPv6:2a00:1450:4013:c01::234]) by mx1.freebsd.org (Postfix) with ESMTP id 566961E06 for ; Mon, 10 Jun 2013 15:18:01 +0000 (UTC) Received: by mail-ea0-f180.google.com with SMTP id k10so5609824eaj.11 for ; Mon, 10 Jun 2013 08:18:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:x-x-sender:to:subject:message-id:user-agent :mime-version:content-type; bh=/ONkFQxHt3eoXfXdVFDiXKaTnH0o3NJJaGrBzjT/i8U=; b=mkywPulud2ThutuqLgPJaGrtzKFzJIZbJwNafCGeOr0svy9Q8xukEBH0AcVo0Rd9Xy u7NpgZNHMvUdqG03WyEDAkemL9FPaFGT1XL7AcWmu6E0Prr76UtouXepcIPdpG5xYcEK LYxbKdp77RtfeyNpuh188TtMOFdvpi7MtxblSSATxW37OQgsurMh3NJGPhH1/RUWWQmi XfmP0aF1DpbeEPNxXZnLM7rS0pHYkBR/R/mM2QgnAAE6BnBHAlWzK0C7CkIwCPLM+GIF korqtHv0oyre4ekV65dNCZhOzjvbSl7nfYfOuJCQBmbjcDzJYBw+vqV4hc1ZrUGXij9E TH6g== X-Received: by 10.15.90.139 with SMTP id q11mr11761330eez.137.1370877480408; Mon, 10 Jun 2013 08:18:00 -0700 (PDT) Received: from chu (243.100.196.88.dyn.estpak.ee. [88.196.100.243]) by mx.google.com with ESMTPSA id f9sm5669338eev.9.2013.06.10.08.17.58 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Jun 2013 08:17:59 -0700 (PDT) Sender: =?UTF-8?Q?Priit_J=C3=A4rv?= Date: Mon, 10 Jun 2013 18:10:10 +0300 (EEST) From: priit@cc.ttu.ee X-X-Sender: priit@chu To: freebsd-security@freebsd.org Subject: libarchive and MAC labels Message-ID: User-Agent: Alpine 2.03 (LNX 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jun 2013 15:18:01 -0000 I've created a patch for libarchive that allows storing and restoring MAC labels from/to a multilabel filesystem using bsdtar. Now before going anywhere with this I had a few questions: - how much general interest is there in such a feature? Would this be a welcome addition to libarchive, either "upstream" or as integrated in the system source tree. I would be especially interested in the opinion of people who have already been involved with the MAC development. - right now the labels are stored silently, similar to ACL-s and extended attributes. They are not extracted by default, only when the '-p' option is specified (default as root). This seems consistent, however it would also be possible to add a switch so that the labels wouldn't be archived unless explicitly requested. - the labels are stored in text representation, as converted by mac_to_text(). This could potentially cause some future breakage, if the text representation ever changes. Also, restoring a label partially (let's say a biba+MLS label with only biba enabled) does not work. Any thoughts on that? Thanks, Priit. From owner-freebsd-security@FreeBSD.ORG Mon Jun 10 23:07:26 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8C9872F7; Mon, 10 Jun 2013 23:07:26 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (lor.one-eyed-alien.net [69.66.77.232]) by mx1.freebsd.org (Postfix) with ESMTP id 787D01949; Mon, 10 Jun 2013 23:07:25 +0000 (UTC) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.5/8.14.5) with ESMTP id r5AN7H2u083709; Mon, 10 Jun 2013 18:07:17 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.5/8.14.5/Submit) id r5AN7HCP083708; Mon, 10 Jun 2013 18:07:17 -0500 (CDT) (envelope-from brooks) Date: Mon, 10 Jun 2013 18:07:17 -0500 From: Brooks Davis To: Pawel Jakub Dawidek Subject: Re: Request for review: Sandboxing dhclient using Capsicum. Message-ID: <20130610230717.GF73639@lor.one-eyed-alien.net> References: <20130608223346.GA2468@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130608223346.GA2468@garage.freebsd.pl> User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Tue, 11 Jun 2013 02:05:27 +0000 Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jun 2013 23:07:26 -0000 On Sun, Jun 09, 2013 at 12:33:46AM +0200, Pawel Jakub Dawidek wrote: > I'd appreciate any review, especially security audit of the proposed > changes. The new and most critical function is probably send_packet_priv(). I've looked over the diff and not found any significant issues, but have a few comments in order of most to least important. In change 229477 using a cached hostname may change behavior if the host is renamed as a result of dhclient operation. The new behavior might be more correct, at least it would be if we reliably restored the host name on termination. I think the change is fine, but we should be keep an eye out for problem reports. In change 229476 I noticed there is a constant 0x1fff that you've moved around. It was already there, but it seems like an unnecessary magic number. In the send_packet_* function declarations in dhcpd.h, you have included variable names which is inconsistent with the surrounding definitions. I saw a few style/whitespace fixed mixed in that should be batched, probably before the substantive commits. -- Brooks From owner-freebsd-security@FreeBSD.ORG Tue Jun 11 19:31:55 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C067EF26; Tue, 11 Jun 2013 19:31:55 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 8CA6A1832; Tue, 11 Jun 2013 19:31:55 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id BE9DA4B3; Tue, 11 Jun 2013 21:27:25 +0200 (CEST) Date: Tue, 11 Jun 2013 21:31:59 +0200 From: Pawel Jakub Dawidek To: Brooks Davis Subject: Re: Request for review: Sandboxing dhclient using Capsicum. Message-ID: <20130611193158.GA1387@garage.freebsd.pl> References: <20130608223346.GA2468@garage.freebsd.pl> <20130610230717.GF73639@lor.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline In-Reply-To: <20130610230717.GF73639@lor.one-eyed-alien.net> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jun 2013 19:31:55 -0000 --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 10, 2013 at 06:07:17PM -0500, Brooks Davis wrote: > On Sun, Jun 09, 2013 at 12:33:46AM +0200, Pawel Jakub Dawidek wrote: > > I'd appreciate any review, especially security audit of the proposed > > changes. The new and most critical function is probably send_packet_pri= v(). >=20 > I've looked over the diff and not found any significant issues, but have > a few comments in order of most to least important. >=20 > In change 229477 using a cached hostname may change behavior if the host > is renamed as a result of dhclient operation. The new behavior might be > more correct, at least it would be if we reliably restored the host name > on termination. I think the change is fine, but we should be keep an > eye out for problem reports. Yes, I'm aware of that possibility, I just don't think this is a big deal. The hostname could be changed right after sending discover/request and it will take a long while before the new one is send. > In change 229476 I noticed there is a constant 0x1fff that you've moved > around. It was already there, but it seems like an unnecessary magic > number. I agree, but I was trying to avoid changes not strictly related to sandboxing. It was very hard to resist, belive me. For example I started removing 'ifi' global variable, which I really don't like, but decided to leave it for now (later I only changed variable name in disassoc() that shadowed this global variable). > In the send_packet_* function declarations in dhcpd.h, you have included > variable names which is inconsistent with the surrounding definitions. Fixed. Thanks for the review! --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlG3ey4ACgkQForvXbEpPzTfEwCg3rlUA3Z3vFYYQR4QV/zO4N4x rPsAnj4IhgEpEcACkBCGuJ+P8LCt5CVU =RGeE -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr-- From owner-freebsd-security@FreeBSD.ORG Wed Jun 12 07:40:48 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E8B69DBD for ; Wed, 12 Jun 2013 07:40:48 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from nskntmtas02p.mx.bigpond.com (nskntmtas02p.mx.bigpond.com [61.9.168.140]) by mx1.freebsd.org (Postfix) with ESMTP id 89A901767 for ; Wed, 12 Jun 2013 07:40:47 +0000 (UTC) Received: from nskntcmgw05p ([61.9.169.165]) by nskntmtas02p.mx.bigpond.com with ESMTP id <20130612074041.KVNR1968.nskntmtas02p.mx.bigpond.com@nskntcmgw05p>; Wed, 12 Jun 2013 07:40:41 +0000 Received: from hermes.heuristicsystems.com.au ([58.172.113.247]) by nskntcmgw05p with BigPond Outbound id nKgg1l00Y5LKYmq01KghzJ; Wed, 12 Jun 2013 07:40:41 +0000 X-Authority-Analysis: v=2.0 cv=G7ae4qY5 c=1 sm=1 a=YibVxx38Z+cwdCKSMcELyg==:17 a=twTT4oUKOlYA:10 a=kj9zAlcOel0A:10 a=GHIR_BbyAAAA:8 a=0_2LO_3MbHgA:10 a=6I5d2MoRAAAA:8 a=JjkoZ4b7lnnWL_unQGIA:9 a=CjuIK1q_8ugA:10 a=SV7veod9ZcQA:10 a=YibVxx38Z+cwdCKSMcELyg==:117 Received: from white (white.hs [10.0.5.2]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.14.5/8.13.6) with ESMTP id r5C7eMmd020053; Wed, 12 Jun 2013 17:40:24 +1000 (EST) (envelope-from dewayne.geraghty@heuristicsystems.com.au) From: "Dewayne Geraghty" To: References: Subject: RE: libarchive and MAC labels Date: Wed, 12 Jun 2013 17:40:22 +1000 Message-ID: <62DD3F47DDCD4105AC023171CCF8BDA2@white> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: Thread-Index: Ac5l7cGYN6acMYLtTT6W7BkBdTNkAQBTPVtQ X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 X-Mailman-Approved-At: Wed, 12 Jun 2013 11:33:32 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jun 2013 07:40:49 -0000 > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of > priit@cc.ttu.ee > Sent: Tuesday, 11 June 2013 1:10 AM > To: freebsd-security@freebsd.org > Subject: libarchive and MAC labels > > I've created a patch for libarchive that allows storing and > restoring MAC labels from/to a multilabel filesystem using > bsdtar. Now before going anywhere with this I had a few questions: > > - how much general interest is there in such a feature? Would > this be a welcome addition to libarchive, either "upstream" > or as integrated in the system source tree. I would be > especially interested in the opinion of people who have > already been involved with the MAC development. > > - right now the labels are stored silently, similar to ACL-s > and extended attributes. They are not extracted by default, > only when the '-p' option is specified (default as root). > This seems consistent, however it would also be possible to > add a switch so that the labels wouldn't be archived unless > explicitly requested. > > - the labels are stored in text representation, as converted > by mac_to_text(). This could potentially cause some future > breakage, if the text representation ever changes. Also, > restoring a label partially (let's say a biba+MLS label with > only biba enabled) does not work. Any thoughts on that? > > Thanks, > Priit. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" Priit, Thank-you for addressing a significant backup/recovery shortcoming. I've used biba extensively, however if files/directories are backed-up with MLS+biba and recovered in a biba only environment, that is the sysadmin choice. Warning messages are fine, but the restoration should continue (if possible). Regards, Dewayne.