From owner-freebsd-audit Thu Jun 14 7:31:11 2001 Delivered-To: freebsd-audit@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 257AA37B405 for ; Thu, 14 Jun 2001 07:30:59 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f5EEUgf26222; Thu, 14 Jun 2001 10:30:42 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 14 Jun 2001 10:30:41 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Dag-Erling Smorgrav Cc: David Malone , freebsd-audit@freebsd.org Subject: Re: Allowing ident in a jail. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 14 Jun 2001, Dag-Erling Smorgrav wrote: > David Malone writes: > > This seems pretty safe and doesn't really leak any info from jail > > to jail. > > - actually, this solution *does* have the potential of leaking > information about non-jailed processes into the jail, *but* > > - to get into a scenario where a socket belonging to a non-jailed > process is visible from within the jail, you have to jump through > hoops and willingly do things that more or less cancel out the > benefits of using a jail in the first place. > > So while David's patch isn't really a 100% correct fix for the problem > described in the PR, it's a good enough compromise, and a much better > solution than any I expected to find. > > (David already knows this; this is for the benefit of those who haven't > read the private discussion he and I had on this subject) Well, it does leak information, but only if jails leak sockets. That is to say, the socket credential is determined at socket creation time, and if the socket migrates elsewhere over its lifetime (via fd transfer by virtue of unix domain socket ancillary data), then it will leak information. However, this relies on having at least two parties colluding: an entity in the first jail to create the socket, and an entity in the host environment willing to help transfer the socket (by creating some IPC vehicle for it, etc). The jail model is not intended to protect jails from the host environment, just from other jails, and only when namespaces have been appropriately configured. If you want the full gamut of protection, you need a full confidentiality/integrity MAC policy. I've largely implemented this (at least twice) as part of the TrustedBSD work, but it's nowhere near ready for production use, and I'll probably reimplement it at least once more before I'll be satisfied with it. Jail is intended to be lightweight and easy to use, providing decent protection, which it does. There are a number of architectural vulnerabilities to it, not least of which is that there are a number of ways a trusting host environment could be exploited by a malicious jail. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message