From owner-freebsd-security@FreeBSD.ORG Tue Feb 11 10:35:56 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 07C6FD37 for ; Tue, 11 Feb 2014 10:35:56 +0000 (UTC) Received: from cu01176a.smtpx.saremail.com (cu01176a.smtpx.saremail.com [195.16.150.151]) by mx1.freebsd.org (Postfix) with ESMTP id BA64E1200 for ; Tue, 11 Feb 2014 10:35:55 +0000 (UTC) Received: from [172.16.2.2] (izaro.sarenet.es [192.148.167.11]) by proxypop03.sare.net (Postfix) with ESMTPSA id 906D59DD003 for ; Tue, 11 Feb 2014 11:28:23 +0100 (CET) From: Borja Marcos Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Proposal: tunable default/init label for MAC policies Date: Tue, 11 Feb 2014 11:28:22 +0100 Message-Id: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es> To: freebsd-security@freebsd.org Mime-Version: 1.0 (Apple Message framework v1283) X-Mailer: Apple Mail (2.1283) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 10:35:56 -0000 (I've just sent this to trustedbsd-discuss but the list is probably = dead, so I am crossposting) Hello, I am using a combination of mac_biba, mac_mls and mac_bsdextended to = secure a shared hosting web server. The goals of each policy are: - mac_biba: Protect the integrity of the OS and configuration files = against actions derived of a security breach of a user's website. = Example, the typical PHP crap. Any descendant of a user process should = be unable to modify anything but the files in that user's directory. - mac_mls: Protect certain sensible files against read access by = descendants of user processes. For example, we wish to protect key = system files from Apache and its descendants, and Apache configuration = files themselves from PHP/CGI processes or, of course, their = descendants. - mac_bsdextended so that users whose uid falls inside the "hosting = users" set, imagine, 10000-20000, can't see processes or files belonging = to other uids within that set. The intent is to minimize surprise (hence, no need for a lot of = technical support to adapt crappy CGI/PHP code for security = requirements) but, at the same time, keeping good security measures. This scheme has been used for years with very good results, without the = mls policy, but we have stumbled upon an obstacle with MLS. The mls = module defines a default mls label of mls/low, which gets applied to = processes that haven't been spawned after a setusercontext() call. So, = for example, applying a mls/high label to the ssh private keys makes = sshd inoperable, as it's launched by init, and gets a mls/low label, = unable to read its private keys. A tunable like security.mac.{mls,biba...}.default_label or, maybe, more = appropiately, security.{mac,biba...}.init_lable would allow the = administrator to, for example, limit the usage of the MAC policies to = descendants of certain processes. In our case, with most of the OS = having the usual Unix security requirements, except for the intrinsicly = dangerous stuff such as Apache and PHP/CGIs, init labels of = {mls,biba}/equal would be more than enough, applying the necessary = labels to the untrusted processes. What do you think? I am sure this makes the MAC policies much more = useful, and much easier to integrate with the typical Unix software = without unnecessary incompatibilities, and of course not just for our = particular scenario. Borja. From owner-freebsd-security@FreeBSD.ORG Tue Feb 11 17:27:31 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E4E7A6EB for ; Tue, 11 Feb 2014 17:27:31 +0000 (UTC) Received: from rot13.romab.com (rot13.romab.com [IPv6:2a02:470:84:101::6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9C52A1978 for ; Tue, 11 Feb 2014 17:27:31 +0000 (UTC) Received: by rot13.romab.com (Postfix, from userid 1004) id CFB288F4CAC; Tue, 11 Feb 2014 18:27:25 +0100 (CET) Received: from rot13.romab.com (idea.romab.com [192.195.142.12]) by localhost.romab.com (Postfix) with ESMTP id 6B0888F4CAA for ; Tue, 11 Feb 2014 18:27:25 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on idea.romab.com X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.2 Received: from stiletto.u88.romab.com (rot13.romab.com [192.195.142.6]) by rot13.romab.com (Postfix) with ESMTP for ; Tue, 11 Feb 2014 18:27:25 +0100 (CET) Message-ID: <52FA5D7D.9010402@romab.com> Date: Tue, 11 Feb 2014 18:27:25 +0100 From: Andreas Jonsson User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Proposal: tunable default/init label for MAC policies References: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es> In-Reply-To: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 17:27:32 -0000 On 2014-02-11 11:28, Borja Marcos wrote: > A tunable like security.mac.{mls,biba...}.default_label or, maybe, > more appropiately, security.{mac,biba...}.init_lable would allow the > administrator to, for example, limit the usage of the MAC policies to > descendants of certain processes. In our case, with most of the OS > having the usual Unix security requirements, except for the > intrinsicly dangerous stuff such as Apache and PHP/CGIs, init labels > of {mls,biba}/equal would be more than enough, applying the necessary > labels to the untrusted processes. > > What do you think? I am sure this makes the MAC policies much more > useful, and much easier to integrate with the typical Unix software > without unnecessary incompatibilities, and of course not just for our > particular scenario. > > Borja. Hi list, I think that being able to set the MAC process label from rc.conf would be a better and more flexible way of moving forward, so that modifying rc-scripts everywhere would be unnecessary. Thinking about how to handle this in the contexts of jails would also be nice. Currently using jail_poststart_exec to jexec with the correct label is a bit of a pain. Perhaps there is a better way that i am unaware of? br andreas From owner-freebsd-security@FreeBSD.ORG Wed Feb 12 00:39:09 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 65BC2BBE; Wed, 12 Feb 2014 00:39:09 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2414815BA; Wed, 12 Feb 2014 00:39:08 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s1C0d7Cr059263 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 11 Feb 2014 16:39:08 -0800 (PST) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s1C0d7Qc059262; Tue, 11 Feb 2014 16:39:07 -0800 (PST) (envelope-from jmg) Date: Tue, 11 Feb 2014 16:39:07 -0800 From: John-Mark Gurney To: freebsd-security@FreeBSD.org, arch@FreeBSD.org Subject: Re: CFR: unifing sha256 userland/kernel implementation... Message-ID: <20140212003907.GM34851@funkthat.com> Mail-Followup-To: freebsd-security@FreeBSD.org, arch@FreeBSD.org References: <20140211185639.GK34851@funkthat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140211185639.GK34851@funkthat.com> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Tue, 11 Feb 2014 16:39:08 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 00:39:09 -0000 John-Mark Gurney wrote this message on Tue, Feb 11, 2014 at 10:56 -0800: > I did some performance testing on sha256, and found that the libmd > version is significantly faster, ~20%, than the kernel version. Even > if you enable SHA2_UNROLL_TRANSFORM (which isn't the default), the > version in libmd is still faster. > > So, this patch moves libmd's sha256c.c and sha256.h into the kernel, > and adapts the userland to pull the version from the kernel. This > change removes sha256 from the existing sha2.c file, and does some > minor cleanup of types in sha2. > > I have tested this w/ ZFS using sha256 checksums, and a ZFS made > pre-patch is read fine by a kernel post patch. I have also run > the tests in lib/libmd and they all pass fine. Passes > buildworld/buildkernel/installkernel/reboot/installworld/reboot/test. > > Patch: > https://www.funkthat.com/~jmg/sha256.kern.patch > > Following stats are in seconds to digest 100000 10000-byte blocks, > calculated using sha256 -t: > $ ministat soft.times kernsoft.times > x soft.times > + kernsoft.times > +------------------------------------------------------------------------------+ > |x xx xx +++ + +| > | |___________AM_________| |_______M_____A______________| | > +------------------------------------------------------------------------------+ > N Min Max Median Avg Stddev > x 5 6.775387 8.279581 7.848128 7.792094 0.60912664 > + 5 8.997429 10.768921 9.090787 9.4359144 0.75040822 > Difference at 95.0% confidence > 1.64382 +/- 0.99674 > 21.096% +/- 12.7917% > (Student's t, pooled s = 0.683428) > > This is in preperation of bringing in an SSE4 accelerated version of > sha256 (for both userland and kernel) that sees a 2x performance > increase. Sorry, security@ != freebsd-security@... This is now going to the correct email.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@FreeBSD.ORG Wed Feb 12 11:50:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BAABAED7 for ; Wed, 12 Feb 2014 11:50:44 +0000 (UTC) Received: from cu01176b.smtpx.saremail.com (cu01176b.smtpx.saremail.com [195.16.151.151]) by mx1.freebsd.org (Postfix) with ESMTP id 7A94D1893 for ; Wed, 12 Feb 2014 11:50:44 +0000 (UTC) Received: from [172.16.2.2] (izaro.sarenet.es [192.148.167.11]) by proxypop04.sare.net (Postfix) with ESMTPSA id 4D5689DCE91; Wed, 12 Feb 2014 12:50:42 +0100 (CET) Subject: Re: Proposal: tunable default/init label for MAC policies Mime-Version: 1.0 (Apple Message framework v1283) Content-Type: text/plain; charset=us-ascii From: Borja Marcos In-Reply-To: <52FA5D7D.9010402@romab.com> Date: Wed, 12 Feb 2014 12:50:40 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <43E2DE29-2349-4734-9E90-081EA5373406@sarenet.es> References: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es> <52FA5D7D.9010402@romab.com> To: Andreas Jonsson X-Mailer: Apple Mail (2.1283) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 11:50:44 -0000 On Feb 11, 2014, at 6:27 PM, Andreas Jonsson wrote: > Hi list, > I think that being able to set the MAC process label from rc.conf = would > be a better and more flexible way of moving forward, so that modifying > rc-scripts everywhere would be unnecessary. For a "default" label, I think the right place is a tunable which can = only be changed from loader.conf, and can't be changed while the system is running. Something different, of course, would be the option to assign a certain = label to a service, with a variable such as "apache24_maclabel" set in = rc.conf. That would be great as well, but it's an entirely different issue imho. ;) Borja. From owner-freebsd-security@FreeBSD.ORG Fri Feb 14 14:25:25 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3F1C0774; Fri, 14 Feb 2014 14:25:25 +0000 (UTC) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 00E871C42; Fri, 14 Feb 2014 14:25:23 +0000 (UTC) Received: from localhost (58.wheelsystems.com [83.12.187.58]) by mail.dawidek.net (Postfix) with ESMTPSA id E4DF1C61; Fri, 14 Feb 2014 15:25:16 +0100 (CET) Date: Fri, 14 Feb 2014 15:26:52 +0100 From: Pawel Jakub Dawidek To: freebsd-security@FreeBSD.org, arch@FreeBSD.org Subject: Re: CFR: unifing sha256 userland/kernel implementation... Message-ID: <20140214142652.GA1661@garage.freebsd.pl> References: <20140211185639.GK34851@funkthat.com> <20140212003907.GM34851@funkthat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="huq684BweRXVnRxX" Content-Disposition: inline In-Reply-To: <20140212003907.GM34851@funkthat.com> X-OS: FreeBSD 11.0-CURRENT amd64 User-Agent: Mutt/1.5.22 (2013-10-16) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2014 14:25:25 -0000 --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 11, 2014 at 04:39:07PM -0800, John-Mark Gurney wrote: > John-Mark Gurney wrote this message on Tue, Feb 11, 2014 at 10:56 -0800: > > I did some performance testing on sha256, and found that the libmd > > version is significantly faster, ~20%, than the kernel version. Even > > if you enable SHA2_UNROLL_TRANSFORM (which isn't the default), the > > version in libmd is still faster. > >=20 > > So, this patch moves libmd's sha256c.c and sha256.h into the kernel, > > and adapts the userland to pull the version from the kernel. This > > change removes sha256 from the existing sha2.c file, and does some > > minor cleanup of types in sha2. > >=20 > > I have tested this w/ ZFS using sha256 checksums, and a ZFS made > > pre-patch is read fine by a kernel post patch. I have also run > > the tests in lib/libmd and they all pass fine. Passes > > buildworld/buildkernel/installkernel/reboot/installworld/reboot/test. > >=20 > > Patch: > > https://www.funkthat.com/~jmg/sha256.kern.patch > >=20 > > Following stats are in seconds to digest 100000 10000-byte blocks, > > calculated using sha256 -t: > > $ ministat soft.times kernsoft.times=20 > > x soft.times > > + kernsoft.times > > +----------------------------------------------------------------------= --------+ > > |x xx xx +++ + = +| > > | |___________AM_________| |_______M_____A______________| = | > > +----------------------------------------------------------------------= --------+ > > N Min Max Median Avg St= ddev > > x 5 6.775387 8.279581 7.848128 7.792094 0.6091= 2664 > > + 5 8.997429 10.768921 9.090787 9.4359144 0.7504= 0822 > > Difference at 95.0% confidence > > 1.64382 +/- 0.99674 > > 21.096% +/- 12.7917% > > (Student's t, pooled s =3D 0.683428) > >=20 > > This is in preperation of bringing in an SSE4 accelerated version of > > sha256 (for both userland and kernel) that sees a 2x performance > > increase. I can't wait:) --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --huq684BweRXVnRxX Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iEYEARECAAYFAlL+J6wACgkQForvXbEpPzQndgCglshTIuytaOOPgOPHPoGBE9D5 kHcAoNRC15/8Gk2aUD+6AtD7akEr/8ng =IhpC -----END PGP SIGNATURE----- --huq684BweRXVnRxX--