From owner-freebsd-security@FreeBSD.ORG  Thu Jul 24 16:51:46 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A9848106566B;
	Thu, 24 Jul 2008 16:51:46 +0000 (UTC)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 3DDB68FC27;
	Thu, 24 Jul 2008 16:51:46 +0000 (UTC)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	by apollo.backplane.com (8.14.1/8.14.1) with ESMTP id m6OGdaex004217;
	Thu, 24 Jul 2008 09:39:36 -0700 (PDT)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.14.1/8.13.4/Submit) id m6OGda4b004216;
	Thu, 24 Jul 2008 09:39:36 -0700 (PDT)
Date: Thu, 24 Jul 2008 09:39:36 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200807241639.m6OGda4b004216@apollo.backplane.com>
To: Robert Watson <rwatson@freebsd.org>
References: <f383264b0807161710m285ed915m8ea9d088fbe83df9@mail.gmail.com>
	<alpine.BSF.1.00.0807162303490.34772@treehorn.dfmm.org>
	<884CB541-7977-4EF1-9B72-7226BDF30188@patpro.net>
	<20080717085136.B87887@fledge.watson.org>
	<05661513-E0DA-4B33-BD4E-FCF73943F332@orthanc.ca>
	<20080724090549.G63347@fledge.watson.org>
	<20080724085910.GG97161@deviant.kiev.zoral.com.ua>
	<20080724100439.D63347@fledge.watson.org>
Cc: Kostik Belousov <kostikbel@gmail.com>,
	Liste FreeBSD-security <freebsd-security@freebsd.org>,
	Lyndon Nerenberg <lyndon@orthanc.ca>
Subject: Re: A new kind of security needed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2008 16:51:46 -0000

    Doesn't OpenBSD have a syscall filtering mechanic where one can restrict
    the file paths the program is allowed to access?

    What I would like to see is the ability to just wrap an application
    with a few process-tracked control directives which restricts what
    portion of the filesystem and kernel namespace the program (and all
    its children)" can then access.  So, e.g. something like:

    #!/bin/csh
    #
    pmac $$ << EOF
    restrict all
    allow-read ~/.firefox /usr/pkg/bin
    allow-read /etc
    allow-write ~/.firefox ~/download
    allow-connect <path_to_X11_socket>    <<<<<< ok that probably would be
    allow-connect named
						 a gaping hole, but...
    exec firefox ...
    EOF

    It seems to me it would be fairly simple filter to make.

    The problem with using different usernames, jails, chroots... the 
    problem with all of that is that they are not fine-grained mechanisms
    and it is seriously inconvenient to set up on an application-by-application
    basis.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>