From owner-freebsd-hackers@freebsd.org Wed Mar 14 00:16:50 2018 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7D99CF2F245 for ; Wed, 14 Mar 2018 00:16:50 +0000 (UTC) (envelope-from theron.tarigo@gmail.com) Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 10E1C7E264 for ; Wed, 14 Mar 2018 00:16:50 +0000 (UTC) (envelope-from theron.tarigo@gmail.com) Received: by mail-qt0-x22f.google.com with SMTP id g60so1660057qtd.11 for ; Tue, 13 Mar 2018 17:16:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=Y1zuGJ6mlmHOF5ewRm5/zdJSLflUCLG43Ullob6GQE8=; b=DGDLxIcTUXdqZ+R7f2lXFGanJRxorKGmmjZVWOpdu/6zxCe2qQtVF0L9F8fFzg7CUO 0SjUMtEUiGTZsSR8sW6x9XI0gg50Dts6FDct/Jy6b3HDiYIqILAqtb8nLsVsmKaBLYtV Nw33+n2BAE5PZ1zburmnBvCbJKBynXJECSc8XsMHfPNaFAjba1GARLu2eWxkkA/C6dYE YAuPx/7/XZuPeW4b35agOK2yr7SFZkT9kyIFY07N4OnlZXMgenfMfu8p2kQVfZ9TSQhB pBS5f7Srf7Igw2mNidap3JAOyyhtBhoIHfOPUYbTrHjDMSsGoG00CJT9XjAx21vZHIXx 6mbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:cc:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=Y1zuGJ6mlmHOF5ewRm5/zdJSLflUCLG43Ullob6GQE8=; b=QAemzgFdBtg3nIYWLKyH+SL4BTl6gH5iYjuE10rozkSbuuOBt/O75uucYhEAdr/so5 /eabtqe86iEsqaBN0IpcsbztrqGC6hv+u5tAcC9NHITF7eTUs+qIK5kedJJIAk0DrO2Q exqFxRMI/EE1xD54uVBxRfF9If94xoUGCFRCcWM7pGfy4szFzY2xf3HUrza1hrTUMX9v vQzeX66G0B8il2Q4UGLOrSqr3Q2hIP4lWcaKg4NHnvlAqHsFpo7yARJ2DwRkZ62nz7DZ dfLAlSg2A9Jwt9qrQRujuGvt7lglxCLVwQhFfexmLcUwnYUU4lyb0FX88s8gLMKTnM06 1jUg== X-Gm-Message-State: AElRT7HUVYlCRKSbIZFM7WrWIxqB3Xcwp5pIFY6Cj1Ds9y7Q8RMAdznW 3LhX15mBpTuFAX2ZGq+XYll2IlIpsNI= X-Google-Smtp-Source: AG47ELvGtImuTxp8FaykdfDHEZbwlMYFAAvIWn8sVfFmnVASvTysc8Fp3Xj7e88/Q24f/M9Be9K+lg== X-Received: by 10.237.38.231 with SMTP id q94mr4066308qtd.60.1520986609267; Tue, 13 Mar 2018 17:16:49 -0700 (PDT) Received: from [155.41.26.230] (dhcp-wifi-8021x-155-41-26-230.bu.edu. [155.41.26.230]) by smtp.gmail.com with ESMTPSA id h184sm658491qkc.78.2018.03.13.17.16.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Mar 2018 17:16:48 -0700 (PDT) Sender: Theron Tarigo Subject: Re: GSoC Idea: per-process filesystem namespaces for FreeBSD To: Bakul Shah , Warner Losh , Mark Saad Cc: Kristoffer Eriksson , "freebsd-hackers@freebsd.org" References: <201803132055.aa28780@berenice.pkmab.se> <20180313222344.2929E156E812@mail.bitblocks.com> From: Theron Tarigo Message-ID: <1f8fc07b-9bf0-f9b2-ae7e-7cb0919722d0@gmail.com> Date: Tue, 13 Mar 2018 20:16:47 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180313222344.2929E156E812@mail.bitblocks.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Mar 2018 00:16:50 -0000 On 03/13/18 18:23, Bakul Shah wrote: > Plan9 has no root (superuser) or setuid. You can mangle > anything in your namespace but it affects only *your* own > process and its future descendents. > > The following paper on Plan9 authentication in Linux may be > worth reading: > https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/34433.pdf > > While I have wanted per-process namespace in BSD for a long > time, I agree with Konstantin this is a non-trivial project. > Even if the design was fully fleshed out, implementing it > would likely take longer than 12 weeks. Although it would limit the usefulness of it, ignoring any and all file suid bits for any process with a non-empty mount table should in theory prevent exploitation of setuid.  Allowing safe setuid in combination with ("trusted" ?) namespaces would be something to add support for much later if someone decides it would be useful. By focusing on a narrowed case, that of allowing an unprivileged process to alter its view into the vfs in a way which is only preserved through execve() in specific safe circumstances, I hoped to avoid the insurmountable complexity of implementing the feature in the full generality that is available on Plan9. On 03/13/18 18:31, Mark Saad wrote: >  A kind of related task; FreeBSD could benefit from : Fixing  and > improving unionfs / nullfs. There are some weird issues with the > current unionfs and while it works in many cases there are some edge > cases where the comments are something like “ FreeBSD needs a proper > stacking vfs ...”   the examples I can think of ; imagine you have a > jail , chroot or even a Pxe booted system where you want a a read only > null mount from the hosts /bin to the targets /bin . Now expand that > to most of the base system and the mount tmpfs’s for /tep /var/log > etc.  most of that works but try to unmount it in the wrong order or > thrash a unionfs with lots of writes ,on top of a tmpfs and things > break . > So to be clear the project would be to better document the various > uses of unionfs and nullfs that work , for the ones that do not diving > into the stacking vfs and seeing if it could be implemented and if it > would help . > Using nullfs / unionfs in combination with chroot could be made functionally equivalent to per-process namespace, but would have the very same security problems as already discussed (as any chroot have) so configuring such environments would be available only to superuser. So it appears that the most significant obstacle to achieving at least an approximation of the behavior of user-controlled per-process namespace is managing setuid safely. One thought I had is to do all of this purely in user-space by creating an extension to libc which allows appropriately linked programs to find files according to some set of prefixes defining the namespace, defined through an environment variable, but have all system interactions function in the normal ways.  Would this be sufficiently general to be of any use?  If this approach does pose any security threats, it indicates a hole is already present in the system! (MacOS once had a problem with allowing privileged programs to be launched under a modified library path...) On 03/13/18 20:00, Mark Saad wrote: > However I still think the unionfs / nullfs work I mentioned before > would be a good project related to the plan9 idea in some ways . Is there a way I could go about fixing up unionfs while also making significant progress towards eventual support for true per-process namespace? Theron