From owner-freebsd-security@FreeBSD.ORG Thu Jul 24 23:20:26 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C01B91065676; Thu, 24 Jul 2008 23:20:26 +0000 (UTC) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.freebsd.org (Postfix) with ESMTP id 95DBE8FC16; Thu, 24 Jul 2008 23:20:26 +0000 (UTC) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.14.1/8.14.1) with ESMTP id m6ONKQN2007280; Thu, 24 Jul 2008 16:20:26 -0700 (PDT) Received: (from dillon@localhost) by apollo.backplane.com (8.14.1/8.13.4/Submit) id m6ONKPgW007279; Thu, 24 Jul 2008 16:20:25 -0700 (PDT) Date: Thu, 24 Jul 2008 16:20:25 -0700 (PDT) From: Matthew Dillon Message-Id: <200807242320.m6ONKPgW007279@apollo.backplane.com> To: Kostik Belousov , Liste FreeBSD-security , Robert Watson , Lyndon Nerenberg References: <60254.1216921273@critter.freebsd.dk> <4888C882.30707@elischer.org> Cc: Subject: Re: A new kind of security needed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2008 23:20:26 -0000 Well, what we are talking about here is not just copying OpenBSD, but perhaps providing a similar feature that doesn't have the same security failings. I think the best way to approach the problem is to work out the desired userland API first... find the easiest and most convenient way to wrap an application, what kind of features are desired, etc, and then implement it. It seems to me that while there are many system calls which can indirectly provide filesystem accessibility (1), the biggest guns are the ones which have to run through namei(). That bodes very well for being able to code up namespace controls that would also properly operate across softlinks. FreeBSD's namei() does do a copyinstr()... at that point the path and its various components are in kernel space. The only gotcha that I see is how to match directory-relative components against global paths. You might need a working kernel-side CWD for that. I dunno, I haven't thought that far ahead. (note 1): For a production system I think one must separate recovery from exploitation. The idea of having namespace restrictions is not to prevent the exploitation from occuring, but instead to prevent it from causing so much damage that the sysad is forced to compare the entire set of accessible filesystems against backups to revalidate the system. -Matt Matthew Dillon