From owner-freebsd-net@freebsd.org  Tue Oct 15 13:00:36 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 77D8315E2C1
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Tue, 15 Oct 2019 13:00:36 +0000 (UTC) (envelope-from hrs@allbsd.org)
Received: from mail.allbsd.org (mx.allbsd.org [IPv6:2001:2f0:104:e001::41])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "mail.allbsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46swX160qxz49jh;
 Tue, 15 Oct 2019 13:00:33 +0000 (UTC) (envelope-from hrs@allbsd.org)
Received: from mail-d.allbsd.org ([IPv6:2409:11:a740:4700:58:65ff:fe00:b0b])
 (authenticated bits=56)
 by mail.allbsd.org (8.15.2/8.15.2) with ESMTPSA id x9FD030g043943
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=OK)
 (Client CN "/CN=mail-d.allbsd.org", Issuer
 "/C=US/O=Let's+20Encrypt/CN=Let's+20Encrypt+20Authority+20X3"); 
 Tue, 15 Oct 2019 22:00:14 +0900 (JST) (envelope-from hrs@allbsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=allbsd.org;
 s=20190220; t=1571144422;
 bh=z5fZKxvkKDq9VGNiKf+yFfoq1bPg90lcES2G+WGpFxs=;
 h=Date:To:Cc:From:In-Reply-To:References;
 b=bzLIdVAnN7JuSS/DVtCGo6qBuQWqLuibTzIn2PfKVSv7tMtHlfVaWStEJuv/FrCqj
 YA+76e0IX9CdDx9cZV84ZoxUzkZR83DQ5uPqMYH4Oerd+4SrpLuZC2pMw9MzAXU4u4
 yoqL8Knw+cY1gAUN9Kt7v62SFW1xgFZ1C89HoGPU=
Received: from alph.d.allbsd.org ([IPv6:2409:11:a740:4700:16:ceff:fe34:2700])
 by mail-d.allbsd.org (8.15.2/8.15.2) with ESMTPS id x9FCxv0Y058548
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO);
 Tue, 15 Oct 2019 21:59:58 +0900 (JST) (envelope-from hrs@allbsd.org)
Received: from localhost (localhost [[UNIX: localhost]]) (authenticated bits=0)
 by alph.d.allbsd.org (8.15.2/8.15.2) with ESMTPA id x9FCxrok058544;
 Tue, 15 Oct 2019 21:59:57 +0900 (JST) (envelope-from hrs@allbsd.org)
Date: Tue, 15 Oct 2019 21:57:32 +0900 (JST)
Message-Id: <20191015.215732.1618848784026596315.hrs@allbsd.org>
To: roy@marples.name
Cc: woodsb02@gmail.com, hrs@freebsd.org, brooks@freebsd.org,
 julian@freebsd.org, driesm.michiels@gmail.com, freebsd-net@freebsd.org
Subject: Re: DHCPv6 client in base
From: Hiroki Sato <hrs@allbsd.org>
In-Reply-To: <f3c51ba5-ebad-4f2f-2ae5-ab08055f6b6b@marples.name>
References: <CAOc73CBzvRD0Je5+XQJ9_UqTP2_cgJvc7_7JTU0fjKBCVnTt-w@mail.gmail.com>
 <20191014.043209.919156653743886519.hrs@allbsd.org>
 <f3c51ba5-ebad-4f2f-2ae5-ab08055f6b6b@marples.name>
X-Old-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-PGPkey-fingerprint: 6C0D 2353 27CF 80C7 901E  FDD2 DBB0 7DC6 6F1F 737F
X-Mailer: Mew version 6.8 on Emacs 26.2
Mime-Version: 1.0
Content-Type: Multipart/Signed; protocol="application/pgp-signature";
 micalg=pgp-sha512;
 boundary="--Security_Multipart(Tue_Oct_15_21_57_32_2019_580)--"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2
 (mail.allbsd.org [IPv6:2001:2f0:104:e001:0:0:0:41]);
 Tue, 15 Oct 2019 22:00:22 +0900 (JST)
X-Rspamd-Queue-Id: 46swX160qxz49jh
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=allbsd.org header.s=20190220 header.b=bzLIdVAn;
 dmarc=none;
 spf=pass (mx1.freebsd.org: domain of hrs@allbsd.org designates
 2001:2f0:104:e001::41 as permitted sender) smtp.mailfrom=hrs@allbsd.org
X-Spamd-Result: default: False [-5.45 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 R_DKIM_ALLOW(-0.20)[allbsd.org:s=20190220];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+mx]; MV_CASE(0.50)[]; TAGGED_RCPT(0.00)[];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[allbsd.org];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[allbsd.org:+];
 MID_CONTAINS_FROM(1.00)[]; RCPT_COUNT_SEVEN(0.00)[7];
 SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:7514, ipnet:2001:2f0::/32, country:JP];
 FREEMAIL_CC(0.00)[gmail.com];
 IP_SCORE(-2.35)[ip: (-9.18), ipnet: 2001:2f0::/32(-4.38), asn: 7514(1.80),
 country: JP(-0.00)]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 13:00:36 -0000

----Security_Multipart(Tue_Oct_15_21_57_32_2019_580)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Roy Marples <roy@marples.name> wrote
  in <f3c51ba5-ebad-4f2f-2ae5-ab08055f6b6b@marples.name>:

ro> On 13/10/2019 20:32, Hiroki Sato wrote:
ro> > Ben Woods <woodsb02@gmail.com> wrote
ro> >    in
ro> >    <CAOc73CBzvRD0Je5+XQJ9_UqTP2_cgJvc7_7JTU0fjKBCVnTt-w@mail.gmail.com>:
ro> > wo> On Fri, 11 Oct 2019 at 08:32, Ben Woods <woodsb02@gmail.com>
ro> > wrote:
ro> > wo> As promised, I have completed my initial work to import dhcpcd
ro> > into FreeBSD
ro> > wo> base, and it is ready for review, testing and comment at the link
ro> > below.
ro> > wo> https://reviews.freebsd.org/D22012
ro> > wo>
ro> > wo> As per the comment from brooks@, I have opted to have it installed
ro> > in
ro> > wo> parallel with dhclient (which remains the default).
ro> >   How do you want to proceed the discussion?  I sent my view and made
ro> >   myself clear that importing dhcpcd into the base system as-is is not
ro> >   a good idea.  What is your answer to my concerns?  I also agree with
ro> >   Brooks about a need for sandboxing before the import if it will
ro> >   happen.  Do you have any plan to add changes to the imported dhcpcd?
ro>
ro> Sorry if it was not clear. The discussion involves what is the
ro> required acceptance for Priviledge Seperation because this is quite
ro> new to me.
ro>
ro> My current idea is to open DHCP, IPv6RA and DHCP6 ports, chroot, drop
ro> privs and fork. This concept is pretty standard thus far. These are
ro> listening ports only and will dry-run any received message through
ro> dhcpcd's two commons paths:
ro>   1) extract address and routing information without applying it
ro>   2) environment option generation from the whole message

 A typical separation is three process model which contains
 processes for 1) sending/accepting packets (and parsing them), 2)
 state machine for each protocol handling, and 3) global namespace
 access (file, routing socket, network interface state, etc).  The
 superuser privilege can be dropped in 1) and 2) completely.  1) and
 3) communicate with 2) on demand or event-driven basis.  1) do not
 communicate directly with 3).  Protocol-specific routines are in 1)
 and 2)---the former handles its wire-format, and the latter deals
 with protocol-specific state machines.

 However, this is often an overkill for a small, single-protocol
 network daemon.  A two process model which contains one for 1)+2) and
 another for 3) above is used in sbin/dhclient, for example.  I think
 this separation is the minimum level.  3) performs privileged tasks
 such as ioctls for network interfaces.

 I believe the three process model is appropriate for dhcpcd because
 of the nature of multi-protocol support.  Parsing is one of the
 attack surfaces.  For instances, a dhcp6_findoption() loop in
 dhcp6_recv() should be in process 1 and changes of D6_STATE(ifp)
 should be managed in process 2.  The current dhcp6_bind() directly
 uses dhcp6_findmoption() to extract options from a DHCP message on
 demand and also directly accesses the global namespace by using
 dhcp6_writelease(ifp).  These packet inspection and file access can
 be replaced with IPC requests to process 1 or 3 in the model, and it
 can be realized without a big structural change to the original logic
 in dhcp6.c (though it requires a certain amount of changes to the
 current code).

 In the ideal world everything should work fine and this kind of
 separation just sounds to make the program complex unnecessary, but
 an incomplete separation between the possible attack surfaces and
 access to the global namespace does not provide a good security even
 if the superuser privilege dropped.

 Note that these are just my own view, not a requirement for something
 nor feature request.  I think lack of privsep must be considered if
 dhclient is replaced, but I also think replacing dhclient is beyond
 the discussion of DHCPv6.

 Anyway, You might want to create a new email thread for sandboxing of
 dhcpcd on FreeBSD if you want to continue to discuss it.  Probably
 developers with more expertise in security can make a comment.

-- Hiroki

----Security_Multipart(Tue_Oct_15_21_57_32_2019_580)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iMgEABMKAC0WIQRsDSNTJ8+Ax5Ae/dLbsH3Gbx9zfwUCXaXCPA8caHJzQGFsbGJz
ZC5vcmcACgkQ27B9xm8fc38CIgII/hD4mR1YsB/K7QbwPZLR7o6PfASISWjM/L+s
xxNG5lLgGynT3R/n3djH8jiedsI6dRspHAhbaLO8ociGbPHbl4kCCQElqiwSOwWN
1++Z4kyMrb2GWuILrAdZXctcVAsAZ8l9sXNkjhVJNQ5UiE6WuCTdvSec9FFi4F/0
uXoy5hgsSKZGeg==
=DapJ
-----END PGP SIGNATURE-----

----Security_Multipart(Tue_Oct_15_21_57_32_2019_580)----