From nobody Wed Mar 30 18:22:53 2022
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 66A181A43B62
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Wed, 30 Mar 2022 18:22:56 +0000 (UTC)
	(envelope-from sigsys@gmail.com)
Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KTFCz4wDjz4vhL;
	Wed, 30 Mar 2022 18:22:55 +0000 (UTC)
	(envelope-from sigsys@gmail.com)
Received: by mail-qv1-xf35.google.com with SMTP id kl29so17528056qvb.2;
        Wed, 30 Mar 2022 11:22:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=message-id:date:mime-version:user-agent:content-language:to
         :references:from:cc:subject:in-reply-to:content-transfer-encoding;
        bh=9PXQuueF4nfIv61ophFPJAYVOucIdtxlt2Ta9vTdRjE=;
        b=PjfRnLyYsPdRUpjx/Sn1UeLB9AziYEz/AEiDsZpWr2PqVucAkCnru+qabqk0hrNlCD
         KS9A7BxfSj5VgT/Zu5rnxnjwX1OZsZXLvXn8oXKuyWx4ak+MmhLRFIXde1LUy4qAIOGD
         YX4mtMyu/b22IPtVuWmnxBbg1fSNlD74DpPg8uT1QI+KzQO1S33eetpVEOJ4seR7crIU
         NtuhDjXS2ycSCZ9BcZYea7OzKPiM/0kiLM4f/xG5uEtbtIKTjy9N+KPvBacifPm2VeM1
         maN1P66iO/dCyWkLfUjyWJYi4MjE48eWPPSc1OYAlAygMaxE/luTSr/WUiZzHTdQnua4
         U81g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:mime-version:user-agent
         :content-language:to:references:from:cc:subject:in-reply-to
         :content-transfer-encoding;
        bh=9PXQuueF4nfIv61ophFPJAYVOucIdtxlt2Ta9vTdRjE=;
        b=MGgWDJA2ss3MrlTEhgz9x+RPDs+7l0qb9O/xI52f2nvaeFumM64jbk1b2ZLAU61dkd
         XLoIVF4NIg5eKYEIod+GsQ5KEMQ9Ed2LQ40kfCc0ueMLIdLUgkZYRIcECkMgsXREszPI
         0OLv6e/crukHdDqfaV0oS7JsdTuK6KZxZ0QKenlwxlt9HcaUHzxOUTLtaUqrvzyQpFpn
         7qTl2dIwZa+vioujIOp3jBEB6EjRomd/v8eV0P4sM3ppPS4LHTQLkY7q6tT1cLv41KwF
         yoLsUL46n8tUZtKN3BWrJ7oQlF5yqOK5zzw49AK3yYCugw0u2Zd4xQUotdp//Pv02XMN
         OUbw==
X-Gm-Message-State: AOAM533/q3imRPaqZ9EyfAWweCeBN7CIsLkvQeJxmEHSCK5YIOsX6yBu
	B53qfvtO8ixHuURf8nXRfgQJcBusgOY=
X-Google-Smtp-Source: ABdhPJzAyijxG2o2Mpqcmozt5NS7HSE4B1200/iVjEKMV5gPQHvaFlK0ZKowBOzQKLNXguo7pA1Myw==
X-Received: by 2002:a05:6214:766:b0:441:a5df:8ace with SMTP id f6-20020a056214076600b00441a5df8acemr739708qvz.87.1648664574932;
        Wed, 30 Mar 2022 11:22:54 -0700 (PDT)
Received: from [10.0.0.2] ([162.156.254.107])
        by smtp.gmail.com with ESMTPSA id p17-20020a37a611000000b0067b2b2c41fasm11528664qke.81.2022.03.30.11.22.54
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 30 Mar 2022 11:22:54 -0700 (PDT)
Message-ID: <cb6287ea-d979-f2ae-8ef2-8f921ff7941d@gmail.com>
Date: Wed, 30 Mar 2022 14:22:53 -0400
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Content-Language: en-US
To: Ed Maste <emaste@freebsd.org>
References: <25b5c60f-b9cc-78af-86d7-1cc714232364@gmail.com>
 <CAPyFy2CK1s63-joiTACYnoiOAODHVNDk5Ahyax16BSK8moWxwg@mail.gmail.com>
From: Mathieu <sigsys@gmail.com>
Cc: freebsd-hackers@FreeBSD.org
Subject: Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support
In-Reply-To: <CAPyFy2CK1s63-joiTACYnoiOAODHVNDk5Ahyax16BSK8moWxwg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4KTFCz4wDjz4vhL
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=PjfRnLyY;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of sigsys@gmail.com designates 2607:f8b0:4864:20::f35 as permitted sender) smtp.mailfrom=sigsys@gmail.com
X-Spamd-Result: default: False [-2.68 / 15.00];
	 ARC_NA(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	 NEURAL_HAM_MEDIUM(-0.98)[-0.976];
	 FROM_HAS_DN(0.00)[];
	 TO_DN_SOME(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
	 FREEMAIL_FROM(0.00)[gmail.com];
	 MIME_GOOD(-0.10)[text/plain];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 NEURAL_SPAM_SHORT(0.29)[0.294];
	 RCVD_COUNT_THREE(0.00)[3];
	 DKIM_TRACE(0.00)[gmail.com:+];
	 RCPT_COUNT_TWO(0.00)[2];
	 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	 RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f35:from];
	 MLMMJ_DEST(0.00)[freebsd-hackers];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 FREEMAIL_ENVFROM(0.00)[gmail.com];
	 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	 RCVD_TLS_ALL(0.00)[];
	 MID_RHS_MATCH_FROM(0.00)[];
	 DWL_DNSWL_NONE(0.00)[gmail.com:dkim]
X-ThisMailContainsUnwantedMimeParts: N

On 3/30/22 12:14, Ed Maste wrote:
> On Mon, 28 Mar 2022 at 05:38, Mathieu <sigsys@gmail.com> wrote:
>> Hello list.  Since a while I've been working on and off on a
>> pledge()/unveil() implementation for FreeBSD.  I also wanted it to be
>> able to sandbox arbitrary programs that might not expect it with no (or
>> very minor) modifications.
> Interesting work - I'm happy to see development with the mac framework
> and I plan to take a good look at it once I have a bit more time.


Alright! I have to say, it's definitively doing things that MAC wasn't 
designed for, but that's the best way I found to interface my module 
with the rest of the kernel.


>
> I have a couple of quick comments from an initial brief look. First,
> the update to pledge's declaration in crypto/openssh/openbsd-compat
> belongs upstream in the openssh-portable project; we'll then just pick
> it up with a subsequent import.


Oh yeah, I think this change used to be necessary when I had put the 
prototype for pledge() in <unistd.h> (and prototype conflicts led to 
build failures).  Probably not needed anymore.

> Second, following on from David
> Chisnall's comment about userland abstraction, there's another example
> of this concept in the "Super Capsicumizer 9000" at
> https://github.com/unrelentingtech/capsicumizer. It interposes libc
> and uses LD_PRELOAD, so won't work with statically linked binaries
> (and has other limitations) but the example it presents is sandboxing
> an unmodified gedit.


Yeah I saw that.  Maybe I was wrong not to go with that approach.  I 
thought it would be too hard to make it complete enough to run 
everything I would want it to run.  A lot of programs are very finicky.  
That's what I found out while working on this.

I see the advantages that it would have though, this could shield a huge 
chunk of the kernel's complexity from applications (no matter how much 
complex functionality the applications demand).  I can imagine that it 
could replace VMs in many cases for the isolation that it brings.  If 
anyone's working on that I think it would be worth it.

But in the meantime, my module does it the more conventional way and 
it's advanced enough to run browsers and whole shell sessions, test 
suites, etc.