From owner-freebsd-security Wed May 17 14:53:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 5517737BD1A; Wed, 17 May 2000 14:53:16 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id OAA09714; Wed, 17 May 2000 14:53:15 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id OAA30127; Wed, 17 May 2000 14:53:14 -0700 (PDT) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id OAA01533; Wed, 17 May 2000 14:53:13 -0700 (PDT) From: Don Lewis Message-Id: <200005172153.OAA01533@salsa.gv.tsc.tdk.com> Date: Wed, 17 May 2000 14:53:13 -0700 In-Reply-To: References: X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Robert Watson , Geoffrey Robinson Subject: Re: Jail: Problems? Proper Usage? Status? Practicality? Cc: security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On May 16, 1:05pm, Robert Watson wrote: } Subject: Re: Jail: Problems? Proper Usage? Status? Practicality? } On Mon, 15 May 2000, Geoffrey Robinson wrote: } > aware that raw sockets are not allowed to jailed processes but is there } > a workaround for ping and traceroute? } } Currently, no. Due to the way raw sockets work (allowing listening for } all non-handled IP messages, and allowing direct writing of IP packets), } it would take a bit of work to get this up and running, although it would } be feasible. A more promising long-term goal might be to better } virtualize network services, creating virtual interfaces and binding real } network resources to virtual interfaces. I think this is the right way to go. The current jail implementation is not compatible with IPv6, and there is no way to confine a dual homed proxy server to a jail, since the jail is only allowed one IP address. If the jail used virtual network interfaces, then it would be possible to add packet filter rules to these network interfaces. This would be much more flexible than the current implementation, since it would then be possible to have fine grained control over the network connections allowed into and out of the jail. It would also be possible for multiple jails to share the same IP address but be restricted to disjoint port ranges. } > Finally how secure is jail really? I'm aware of a trivial chroot breakout } > technique. Does that hole still exist? Are there any other known holes? Is } > jail still under active development? Is it worth the trouble to do any of } > this? } Right now my efforts are primarily aimed at improving the security } abstractions within the kernel relating to the TrustedBSD project--this } should have a side benefit of improving the relationship between jail() } and the base OS, making Jail easier to maintain and modify. I think this is also the right thing to do. I would go so far as to deprecate the jail(2) syscall, and implement jail(8) in terms of the syscalls to set up the virtual network interfaces, the syscalls to set the process capabilities, and chroot(). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message