From owner-freebsd-jail@freebsd.org Sun Feb 24 10:00:33 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1385A15195C3 for ; Sun, 24 Feb 2019 10:00:33 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 8735B8DE74 for ; Sun, 24 Feb 2019 10:00:32 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: by mailman.ysv.freebsd.org (Postfix) id 4563F15195C1; Sun, 24 Feb 2019 10:00:32 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 122EB15195C0; Sun, 24 Feb 2019 10:00:32 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C0C778DE70; Sun, 24 Feb 2019 10:00:28 +0000 (UTC) (envelope-from Alexander@leidinger.net) Date: Sun, 24 Feb 2019 11:00:15 +0100 Message-ID: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> From: Alexander Leidinger To: freebsd-rc@freebsd.org, jail@freebsd.org Subject: Proposal: automatic jailing of services (rc.d/*) [patch] User-Agent: Horde Application Framework 5 Accept-Language: de,en Content-Type: multipart/signed; boundary="=_fy4n2tsDPmdHd3oieZ_dzqP"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-Rspamd-Queue-Id: C0C778DE70 X-Spamd-Bar: --------- X-Spamd-Result: default: False [-9.69 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; DKIM_TRACE(0.00)[leidinger.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; MX_GOOD(-0.01)[mailgate.leidinger.net]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.980,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; IP_SCORE(-3.70)[ip: (-9.79), ipnet: 2a00:1828::/32(-4.86), asn: 34240(-3.83), country: DE(-0.01)]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; MIME_UNKNOWN(0.10)[text/diff] X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Feb 2019 10:00:33 -0000 This message is in MIME format and has been PGP signed. --=_fy4n2tsDPmdHd3oieZ_dzqP Content-Type: multipart/mixed; boundary="=_DFoVyw8E2SrFbHVI-kNCyDP" This message is in MIME format. --=_DFoVyw8E2SrFbHVI-kNCyDP Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Thanks to MWL for his upcoming jail book, it inspired me to come up with th= is. Note, I'm not subscribed to freebsd-rc, please keep at least jail@ in=20=20 copy=20(I'm subscribed there). I propose to extend the rc system to automatically jail services in a=20=20 light=20sense (off by default, can be enabled on individual service=20=20 level).=20The "light sense" means to inherit the entire host (subject to=20= =20 options).=20All programs have still access to the entire filesystem=20=20 (subject=20to user access permissions). By default no network access.=20=20 Optional=20access to the hosts IPv4, IPv6, raw sockets or full access to=20= =20 all=20network related parts (see below for "service jail options").=20=20 Similar=20optional access for sysvipc, mlock and vmm. The benefit of this approach (aside of being able to prevent network=20=20 and=20other access if needed (without removing the network at all) when=20= =20 it=20is not enabled) is to put a service and all its children into a=20=20 limited=20process namespace. A service and its children only see=20=20 themselves=20but no other processes (a rc script which uses some checks=20= =20 in=20start_cmd to see if some other services/processes are started needs=20= =20 to=20be modified to do the checks in start_precmd, only start_cmd (and=20= =20 stop_cmd)=20is jailed in this design (so far), so that a service can=20=20 check=20a lot more than what is possible in a jail), and you can kill=20=20 all=20of those in one go (jail -r svcj-). Note: this can not be used for services which require access to=20=20 /dev/(k)mem,=20as this is prohibited in a jail even if the dev-entry is=20= =20 there=20(this means you can not enable this feature for services which=20= =20 start=20X.org to access a graphic card without my patches for X.org in a=20= =20 jail).=20Other hard-coded jail restrictions apply too off course. As an example for a service which needs network access, it would have=20=20 to=20have in the rc script : ${svcname_svcj_options:=3D"net_basic") to specify that it needs access to IPv4, IPv6 and access to reserved=20=20 ports=20(see below for more details). This way the service comes with a default setting and an admin can=20=20 override=20what the service is allowed to do on his discretion in rc.conf. There are off course drawbacks, depending on your point of view. If=20=20 you=20jail sshd, you can only see processes inside the sshd service jail=20= =20 via=20ps/top/..., you can not use commands which require access to=20=20 /dev/(k)mem,=20you can not start ntpd from such a ssh session, and you=20= =20 can=20not manage (stop/start via rc-means or kill) stuff which is=20=20 running=20in other service jails, or in short: all hard-coded jail=20=20 restrictions=20apply. If you stop such a service jail, the current=20=20 implementation=20removes the entire service jail (after running "service=20= =20 stop"=20inside), so for sshd this would mean that any ssh connection to=20= =20 the=20jailed sshd is killed instead of continuing like in the non=20=20 service=20jail case. So this is not something which can by enabled by=20=20 default=20and a careful review of what shall be handled in this way=20=20 needs=20to be done instead of enabling it blindly. To enable jailing of a service, an admin has to specify=20=20 svcname_svcj=3D"YES" in rc.conf and optionally options via=20=20 svcname_svcj_options=3D"xxx" if it wants to override the settings/access=20= =20 specified=20in the rc script (or set it if the rc script is not yet=20=20 modified=20to support service jails). A rc script shall not enable a service jail by default, it's up to the=20= =20 admin=20to enable that. This also works in jails, but requires to set children.max to an=20=20 appropriate=20value for those jails (see jail(8) or MWLs upcoming book=20= =20 for=20more info about hierarchical jails). As we expose=20=20 security.jail.param.children.*=20in jails, we could add a safetynet=20=20 inside=20the implementation to not use service jails even if configured,=20= =20 when=20"jailed and cur =3D max". RC settings: _svcj=3D"YES/NO" _svcj_options=3D"see_below" service jails options translations: netv4 -> ipv4=3Dinherit allow.reserved_ports netv6 -> ipv6=3Dinherit allow.reserved_ports net_basic -> ipv4=3Dinherit ipv6=3Dinherit allow.reserved_ports net_raw -> allow.raw_sockets net_all -> allow.socket_af allow.raw_sockets allow.reserved_ports=20=20 ipv4=3Dinherit ipv6=3Dinherit sysvipc -> sysvmsg=3Dinherit sysvsem=3Dinherit sysvshm=3Dinherit mlock -> allow.mlock vmm -> allow.vmm Attached is a proof of concept (only lightly tested with=20=20 start/stop/status/restart)=20so that you can play around with it a=20=20 little=20bit. Please don't focus on the patch. This mail is to seek=20=20 feedback=20about the feature and the quick design so far. To make it=20=20 explicit,=20I do not ask (yet) if and which service to handle like this=20= =20 by=20default. This is just the possibility to do something like this. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_DFoVyw8E2SrFbHVI-kNCyDP-- --=_fy4n2tsDPmdHd3oieZ_dzqP Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJccmsvAAoJEBINsJsD+NiGXxQP/AkzLOI+MkW0EoQ/R+y9W/4U CCBvuFntPLYfN3agONbLwwu/DEt8xqPRCA1UDBK2pe9UQQQj9WcXbVvb8bsr64fM ZH+P0Wev/nkhRk0NyqQLvO0j2VRQnve9bnI8v1kdi5hjH9m796Ig81lHRBViCYTL qyE1qz+rO5ocY8yWi98vOZy6HD32eehcl1g8KlnfD+SQ7R9uQ5lQHA1fLiFrs17L HjVadlFX3QX6xsWKjrrQ53GTw7n+3mmtDYc+Jac+YEz5OT7TyK6tzobw6MkzNPnM juEL4gznT17E5e1gtWIuqq+ZWGdOqNWpuTTyc6X9IO2H58kMpjWp6USk3mqjNR0x bhaLadpsCh3yDo5c806JQ7mSYz5ryPPH7f/fYwcB99MIGcY3d+8KTgct65+pXyO8 2OxrDS3x9A+0BChFjdmNpLqoIiGBmj/3d1KaJJLbhKd0i/G+WpNdGuRiQk2N/7UD eXpylUa8Yb+vTNvsRn3Qt6tWGctcBxidFtzSGAWycSNieWGcmwK+zH/PhiFHKSK5 O3TOBMDbsdhGjG6Re4CxI0aTHlO1Jyu9Q87eW2DUMnPS1f6dlzwS/mHv3SWGrPWm jDwIgMBhlTFtMjowAkRmJcxn2HuvdsLz0jU4jqqcidTeCHvz9YoDiJb3rkoSxHiW xgXoToaNcFdeU1tUXY9P =Rx7/ -----END PGP SIGNATURE----- --=_fy4n2tsDPmdHd3oieZ_dzqP--