From nobody Wed Mar 30 16:14:29 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2891D1A34735 for ; Wed, 30 Mar 2022 16:14:44 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f182.google.com (mail-il1-f182.google.com [209.85.166.182]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KTBN26Xr0z3t27 for ; Wed, 30 Mar 2022 16:14:42 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f182.google.com with SMTP id 14so10164838ily.11 for ; Wed, 30 Mar 2022 09:14:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=maGTE4092P61htpemOd5Ah0BZPSIPjfHtdMZ3tM39kA=; b=awb3OsdtcTSktLBtoDhw1xeX3dPRpNZ2JELk2VO6dr8SXdNIGeZ36StaWH/LRn7Zg3 eC6EtbefWxXKuXPTNR7WHL8sC03NDVCrb87V5Uwxk7CXagB+NrpYwe+haksSxjXxfBK4 HVVSjQJ2JyC8XUJUBDWSC1bOZ5Dlz+AtaA9EOyx8T2q+lWIEwAgyYqQrmwsi9O8zPdjE yvsBGogPpEu48JJyPYXbB7OMzDVL4xv2C7xRR2+KO3EQyCDw1A447giwbRZAR+4fMhfp u2XL1RbCd4YHjyggXahVLjOFJ99QHHoOpEH/6ojx0qf7veb/pI0B6FnqScUbWIZ/b4Ji Ye+w== X-Gm-Message-State: AOAM532Sh7bOMmr6V6h4XiJOFt/WpgGxWACj3T2rLbmveON2kpqj0y+9 18IsZDKyhuH84Xdf95VvpljrZsm6cPcADCam0g0= X-Google-Smtp-Source: ABdhPJzo9UPeTsOLzkmVBSRaKZnTjJ6RIkEvzhPEJ/rmLOuFITXU7OCALsm0wrOOewGe/dMe22WCr/LRtSE9WICiwMY= X-Received: by 2002:a05:6e02:1c2a:b0:2c9:defa:d061 with SMTP id m10-20020a056e021c2a00b002c9defad061mr2938619ilh.260.1648656882058; Wed, 30 Mar 2022 09:14:42 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 References: <25b5c60f-b9cc-78af-86d7-1cc714232364@gmail.com> In-Reply-To: <25b5c60f-b9cc-78af-86d7-1cc714232364@gmail.com> From: Ed Maste Date: Wed, 30 Mar 2022 12:14:29 -0400 Message-ID: Subject: Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support To: Mathieu Cc: FreeBSD Hackers Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4KTBN26Xr0z3t27 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.182 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-0.64 / 15.00]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[carpeddiem]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; RCVD_TLS_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; NEURAL_SPAM_MEDIUM(0.96)[0.964]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.61)[-0.605]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.182:from]; MLMMJ_DEST(0.00)[freebsd-hackers]; FREEMAIL_TO(0.00)[gmail.com]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.182:from]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N On Mon, 28 Mar 2022 at 05:38, Mathieu wrote: > > Hello list. Since a while I've been working on and off on a > pledge()/unveil() implementation for FreeBSD. I also wanted it to be > able to sandbox arbitrary programs that might not expect it with no (or > very minor) modifications. Interesting work - I'm happy to see development with the mac framework and I plan to take a good look at it once I have a bit more time. I have a couple of quick comments from an initial brief look. First, the update to pledge's declaration in crypto/openssh/openbsd-compat belongs upstream in the openssh-portable project; we'll then just pick it up with a subsequent import. Second, following on from David Chisnall's comment about userland abstraction, there's another example of this concept in the "Super Capsicumizer 9000" at https://github.com/unrelentingtech/capsicumizer. It interposes libc and uses LD_PRELOAD, so won't work with statically linked binaries (and has other limitations) but the example it presents is sandboxing an unmodified gedit.