Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Feb 2019 11:00:15 +0100
From:      Alexander Leidinger <Alexander@leidinger.net>
To:        freebsd-rc@freebsd.org, jail@freebsd.org
Subject:   Proposal: automatic jailing of services (rc.d/*) [patch]
Message-ID:  <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net>

next in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed.

--=_fy4n2tsDPmdHd3oieZ_dzqP
Content-Type: multipart/mixed; boundary="=_DFoVyw8E2SrFbHVI-kNCyDP"

This message is in MIME format.

--=_DFoVyw8E2SrFbHVI-kNCyDP
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

Thanks to MWL for his upcoming jail book, it inspired me to come up with th=
is.

Note, I'm not subscribed to freebsd-rc, please keep at least jail@ in=20=20
copy=20(I'm subscribed there).

I propose to extend the rc system to automatically jail services in a=20=20
light=20sense (off by default, can be enabled on individual service=20=20
level).=20The "light sense" means to inherit the entire host (subject to=20=
=20
options).=20All programs have still access to the entire filesystem=20=20
(subject=20to user access permissions). By default no network access.=20=20
Optional=20access to the hosts IPv4, IPv6, raw sockets or full access to=20=
=20
all=20network related parts (see below for "service jail options").=20=20
Similar=20optional access for sysvipc, mlock and vmm.

The benefit of this approach (aside of being able to prevent network=20=20
and=20other access if needed (without removing the network at all) when=20=
=20
it=20is not enabled) is to put a service and all its children into a=20=20
limited=20process namespace. A service and its children only see=20=20
themselves=20but no other processes (a rc script which uses some checks=20=
=20
in=20start_cmd to see if some other services/processes are started needs=20=
=20
to=20be modified to do the checks in start_precmd, only start_cmd (and=20=
=20
stop_cmd)=20is jailed in this design (so far), so that a service can=20=20
check=20a lot more than what is possible in a jail), and you can kill=20=20
all=20of those in one go (jail -r svcj-<svc>).
Note: this can not be used for services which require access to=20=20
/dev/(k)mem,=20as this is prohibited in a jail even if the dev-entry is=20=
=20
there=20(this means you can not enable this feature for services which=20=
=20
start=20X.org to access a graphic card without my patches for X.org in a=20=
=20
jail).=20Other hard-coded jail restrictions apply too off course.

As an example for a service which needs network access, it would have=20=20
to=20have in the rc script
: ${svcname_svcj_options:=3D"net_basic")
to specify that it needs access to IPv4, IPv6 and access to reserved=20=20
ports=20(see below for more details).
This way the service comes with a default setting and an admin can=20=20
override=20what the service is allowed to do on his discretion in rc.conf.

There are off course drawbacks, depending on your point of view. If=20=20
you=20jail sshd, you can only see processes inside the sshd service jail=20=
=20
via=20ps/top/..., you can not use commands which require access to=20=20
/dev/(k)mem,=20you can not start ntpd from such a ssh session, and you=20=
=20
can=20not manage (stop/start via rc-means or kill) stuff which is=20=20
running=20in other service jails, or in short: all hard-coded jail=20=20
restrictions=20apply. If you stop such a service jail, the current=20=20
implementation=20removes the entire service jail (after running "service=20=
=20
stop"=20inside), so for sshd this would mean that any ssh connection to=20=
=20
the=20jailed sshd is killed instead of continuing like in the non=20=20
service=20jail case. So this is not something which can by enabled by=20=20
default=20and a careful review of what shall be handled in this way=20=20
needs=20to be done instead of enabling it blindly.

To enable jailing of a service, an admin has to specify=20=20
svcname_svcj=3D"YES" in rc.conf and optionally options via=20=20
svcname_svcj_options=3D"xxx" if it wants to override the settings/access=20=
=20
specified=20in the rc script (or set it if the rc script is not yet=20=20
modified=20to support service jails).

A rc script shall not enable a service jail by default, it's up to the=20=
=20
admin=20to enable that.

This also works in jails, but requires to set children.max to an=20=20
appropriate=20value for those jails (see jail(8) or MWLs upcoming book=20=
=20
for=20more info about hierarchical jails). As we expose=20=20
security.jail.param.children.*=20in jails, we could add a safetynet=20=20
inside=20the implementation to not use service jails even if configured,=20=
=20
when=20"jailed and cur =3D max".

RC settings:
<svc>_svcj=3D"YES/NO"
<svc>_svcj_options=3D"see_below"

service jails options translations:
netv4		-> ipv4=3Dinherit allow.reserved_ports
netv6		-> ipv6=3Dinherit allow.reserved_ports
net_basic	-> ipv4=3Dinherit ipv6=3Dinherit allow.reserved_ports
net_raw		-> allow.raw_sockets
net_all		-> allow.socket_af allow.raw_sockets allow.reserved_ports=20=20
ipv4=3Dinherit ipv6=3Dinherit
sysvipc		-> sysvmsg=3Dinherit sysvsem=3Dinherit sysvshm=3Dinherit
mlock		-> allow.mlock
vmm		-> allow.vmm


Attached is a proof of concept (only lightly tested with=20=20
start/stop/status/restart)=20so that you can play around with it a=20=20
little=20bit. Please don't focus on the patch. This mail is to seek=20=20
feedback=20about the feature and the quick design so far. To make it=20=20
explicit,=20I do not ask (yet) if and which service to handle like this=20=
=20
by=20default. This is just the possibility to do something like this.

Bye,
Alexander.

--=20
http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF

--=_DFoVyw8E2SrFbHVI-kNCyDP--

--=_fy4n2tsDPmdHd3oieZ_dzqP
Content-Type: application/pgp-signature
Content-Description: Digitale PGP-Signatur
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABAgAGBQJccmsvAAoJEBINsJsD+NiGXxQP/AkzLOI+MkW0EoQ/R+y9W/4U
CCBvuFntPLYfN3agONbLwwu/DEt8xqPRCA1UDBK2pe9UQQQj9WcXbVvb8bsr64fM
ZH+P0Wev/nkhRk0NyqQLvO0j2VRQnve9bnI8v1kdi5hjH9m796Ig81lHRBViCYTL
qyE1qz+rO5ocY8yWi98vOZy6HD32eehcl1g8KlnfD+SQ7R9uQ5lQHA1fLiFrs17L
HjVadlFX3QX6xsWKjrrQ53GTw7n+3mmtDYc+Jac+YEz5OT7TyK6tzobw6MkzNPnM
juEL4gznT17E5e1gtWIuqq+ZWGdOqNWpuTTyc6X9IO2H58kMpjWp6USk3mqjNR0x
bhaLadpsCh3yDo5c806JQ7mSYz5ryPPH7f/fYwcB99MIGcY3d+8KTgct65+pXyO8
2OxrDS3x9A+0BChFjdmNpLqoIiGBmj/3d1KaJJLbhKd0i/G+WpNdGuRiQk2N/7UD
eXpylUa8Yb+vTNvsRn3Qt6tWGctcBxidFtzSGAWycSNieWGcmwK+zH/PhiFHKSK5
O3TOBMDbsdhGjG6Re4CxI0aTHlO1Jyu9Q87eW2DUMnPS1f6dlzwS/mHv3SWGrPWm
jDwIgMBhlTFtMjowAkRmJcxn2HuvdsLz0jU4jqqcidTeCHvz9YoDiJb3rkoSxHiW
xgXoToaNcFdeU1tUXY9P
=Rx7/
-----END PGP SIGNATURE-----

--=_fy4n2tsDPmdHd3oieZ_dzqP--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM>