From nobody Tue Mar 29 21:12:30 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4C3BE1A42091 for ; Tue, 29 Mar 2022 21:12:33 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KSj283b4Bz3gyV for ; Tue, 29 Mar 2022 21:12:32 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt1-x82a.google.com with SMTP id c4so16472946qtx.1 for ; Tue, 29 Mar 2022 14:12:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=GZcmhVLyhCAPTCqZ8QpFADjls7+4IC0Ik102W8Xe+24=; b=C/ahKsX0QHgdxnvXDcoMqkKOom8EhdzofENnHj9qPuEK2GLVG80wuc2rMiUzF+gxj4 DrhOSFdx6GxrMQ/rjrVWqywhdSjRjSLcuNkn0qIinpeNz5Z9bIoOF4pygzVX902LCva6 a6XnUcqkg1p7fCgB+d/+UNIsVe0DXSsItyG9P6//ssArPt8RQAeUysDYOrhifC4ZL+ww G0aBeY8V8taRLBJ1hI8pnPFKKirfH1wZ1vAzqAOxHJh1gE3So+Br3rUFzynQbeHIqkUC lNz95B7Fjl2d9zwtFxfuw7MDFQq71Xba2iKOCCjoJJjQNWvOUQhsr3jZGLNB++0wzKm6 joZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=GZcmhVLyhCAPTCqZ8QpFADjls7+4IC0Ik102W8Xe+24=; b=12a1jhr6OswV29J80NParwMvdK66bSgKp/cbcGSrd4KlbgnMLvx/8tvx7br4bIxocc 4SY1uErr/KeKsIV0CH+R9+/RyCYBA0ZzeI4m/oRDKtun/glLeSfZqToqNBo6v9sRA5bx ocSr37+ZzSt04gYHp9UbsqGiFHodrQgvZTrnV6nHb+yrIPvrynZzB8s6gHJMmbdQUlGi 93bpog8SNsgxbVOtRSlK7jk0QqyYIZDWzvLLR+PXu4C/k1XZ1y4ho/d8jSkMFJ6XVWAs Kz5XEBdn/ZQ4Qbvmc5JT7mttMn88HlP1NCCDz+3DmyrWhcwkbTCPjKeWbf3dWjLdKMQ7 w1EA== X-Gm-Message-State: AOAM531Ck5zcxEDijfARXm4ZXjdNxDa+KUD7sduUbVIALtzHEq6b9pNn lqvye3TIBiK2ryIWztYTabnANQ== X-Google-Smtp-Source: ABdhPJwthrkKct8p46VepY56HQbksA+niMJlxMnc+b3H2UjTToYYaLVg8GWCsoRbw2gj/AcMBy6Tow== X-Received: by 2002:ac8:7f92:0:b0:2e1:c9ca:cbbc with SMTP id z18-20020ac87f92000000b002e1c9cacbbcmr29735982qtj.103.1648588351773; Tue, 29 Mar 2022 14:12:31 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-224-136.bltmmd.fios.verizon.net. [100.16.224.136]) by smtp.gmail.com with ESMTPSA id r17-20020a05620a299100b00680b43004bfsm8678507qkp.45.2022.03.29.14.12.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Mar 2022 14:12:31 -0700 (PDT) Date: Tue, 29 Mar 2022 17:12:30 -0400 From: Shawn Webb To: Mathieu Cc: freebsd-hackers@FreeBSD.org Subject: Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support Message-ID: <20220329211230.2dufhnikhaqyovwc@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-CURRENT-HBSD FreeBSD 14.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <25b5c60f-b9cc-78af-86d7-1cc714232364@gmail.com> <20220329181428.n3db2x57nnn64yfx@mutt-hbsd> List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="r56sicskwccqyk53" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4KSj283b4Bz3gyV X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b="C/ahKsX0"; dmarc=none; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::82a as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org X-Spamd-Result: default: False [-3.24 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; RCPT_COUNT_TWO(0.00)[2]; SIGNED_PGP(-2.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RECEIVED_SPAMHAUS_PBL(0.00)[100.16.224.136:received]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.994]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(0.85)[0.850]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::82a:from]; MLMMJ_DEST(0.00)[freebsd-hackers]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --r56sicskwccqyk53 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 29, 2022 at 03:46:09PM -0400, Mathieu wrote: > On 3/29/22 14:14, Shawn Webb wrote: > > On Mon, Mar 28, 2022 at 05:37:44AM -0400, Mathieu wrote: > > > Hello list.=A0 Since a while I've been working on and off on a > > > pledge()/unveil() implementation for FreeBSD.=A0 I also wanted it to = be able > > > to sandbox arbitrary programs that might not expect it with no (or ve= ry > > > minor) modifications.=A0 So I just kept adding to it until it could d= o that > > > well enough.=A0 I'm still working on it, and there are some known iss= ues and > > > some things I'm not sure are done correctly, but overall it's in a ve= ry > > > functional state now. It can run unmodified most utilities and deskto= p apps > > > (though dbus/dconf/etc are trouble), server daemons, buildworld and w= hole > > > shell/desktop sessions sandboxed. > > >=20 > > > https://github.com/Math2/freebsd-pledge > > > https://github.com/Math2/freebsd-pledge/blob/main/CURTAIN-README.md > > >=20 > > > It can be broken up in 4 parts: 1) A MAC module that implements most = of the > > > functionality.=A0 2) The userland library, sandboxing utility, config= s and > > > tests.=A0 3) Various kernel changes needed to support it (including n= ew MAC > > > handlers and extended syscall filtering).=A0 4) Small changes/fixes t= o the > > > base userland (things like adding reporting to ps and modifying some > > > utilities to use $TMPDIR so that they can be properly sandboxed).=A0 = So 1) and > > > 2) could be in a port.=A0 And I tried to minimize 3) and 4) as much as > > > possible. > > >=20 > > > I noted some problems/limitations in the CURTAIN-ISSUES file.=A0 At t= his point > > > I'm mostly wondering about the general design being acceptable for me= rging > > > eventually.=A0 Because most of this could be part of a port, but not = all of > > > it.=A0 And the way that it deals with filesystem access restrictions = in > > > particular is kludgy.=A0 So any feedback/testing welcome. > > >=20 > > > It still lacks documentation (in part because I'm not sure of what co= uld > > > still change) so I'm going to give an overview of it here and show so= me > > > examples and that's going to be the documentation for now.=A0 And I'll > > > describe the kernel changes that it needed.=A0 So that's going to be = a bit of > > > a long email. > > Hey Mathieu, > >=20 > > Thanks a lot for working on this! I'm incredibly excited to see this > > work progress and mature. >=20 >=20 > Hey! Thanks, nice to hear that. >=20 >=20 > > I'd love to start reviewing your work. One thing that would make it > > easier to review would be if you used a feature branch rather than > > relying on the main branch. That way, a simple `git diff` command > > could be used to generate a diff between your code and stock freebsd. > >=20 > > If you'd like an example of that, take a look at HardenedBSD's > > repo[0]. We have two relevant branches: > >=20 > > freebsd/current/main <- FreeBSD's sources > > hardened/current/main <- HardenedBSD's patches applied on top of > > FreeBSD's sources > >=20 > > Users can then simply run `git diff origin/freebsd/current/main` to > > see all the changes we've made (assuming the user is currently working > > on the hardened/current/master branch.) > >=20 > > [0]: https://git.hardenedbsd.org/HardenedBSD/hardenedbsd >=20 >=20 > I gotta be honest, I'm never too sure if I understand what git is doing. = So > I try to keep it simple. I'm going to create a "stock" branch and keep it > pointing *exactly* to what I've been merging from. Lemme know if that wor= ks. > I'm not too sure I'd be using a more elaborate branch layout correctly... > This is going to be a lot of work to review so yeah I'd try to set this up > to make it easier but I could just make it worse too heh. The way I've be= en > comparing my changes to stock so far was with 3 dots diff: `git diff > freebsd/main...main`. I quickly forked your repo, and created two branches: freebsd/current/main and curtain/current/main: https://github.com/lattera/freebsd-pledge So now freebsd/current/main can be updated first, then you can merge in freebsd/current/main into curtain/current/main. Hopefully you find that useful. >=20 > Also, I gotta warn you, the lack of comments is just terrible in some > places. This project turned out to be a lot more complicated than I had > hoped. Correctly handling "slots" and inheritance/masking between sandbox= es > was harder than I thought. Most of the complexity are in the library and = MAC > module. But I think it probably was necessary complexity to get the (most= ly) > seamlessly nestable sandboxing system that I wanted... Totally understood. This is a work in progress and there's likely a lot to still be worked out (as you've already mentioned.) My work load at ${DAYJOB} is a bit tight at the moment, but I do plan on taking some time off soon. During that time off, I'll start peeking at the code. I'll make sure to keep an eye on the project in the meantime, though. Thanks again! --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --r56sicskwccqyk53 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmJDdjwACgkQ/y5nonf4 4fqEuQ//ZlThk02cVv8qeujzauPDaXyVJyA1sb1RZMKOkVwyAxvLW1jkSb3EADga eEw70NzsUU7WNHWiRykec4cChRKOm1NuTiK5+jrxIPZD6odn6HHqdIohi2bOTl0t 1FnqAvVR57gEKBIwDBFnf/yB2YGJzBQ5Fh36ADl+e1Um1u2abY/ZoG1vImglle4R yALYAd9qzWWd7j0sM7S3nSTKybEAdtgttKJGaL8ym/kI7g93gBZ5jGNWSromNCi4 a+ZslPTfO4GFWwHVgdgiC/AEkiExH1XbG9c/yD4dAL9J9m0lxXPh6NCdsIu3iltr Kb0qPZs4qc9g5aEa2DPLJC/IZDcYUJeVvf8Lz3FHBF4pNvGb9wvw+IhwVwWpHq+W qTfawaGtuG6ZZW51xoQy/oB9dCwkApP4Oe0MIvHjaG4IKhm+w3j0phwdsZ/isj51 Swtl9Swm9zOh6RW5W0xcjHMkbYdSFGS7/4MmrzK8epsRN3gdEYzf5lZ06piu4KEn nQq2LcU7ewV0F8nBJ4PlNrq+42a+0yrxiDwY1XPPZHoCWwOHZ7vybhOloaP8KUgv Yx9IwI3UUkxUOYL+C+uKhcKHvpYgW792YVce8dsQpqKI7GrwXjr6S37pUUe6tROX tAIfi/e9IyWbmu/bJ9hZoGdKhlBPIxYk9eZqje3voQnabll8PtE= =Lny8 -----END PGP SIGNATURE----- --r56sicskwccqyk53--