From owner-freebsd-security@freebsd.org Mon May 25 16:37:33 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3608A32B7DF for ; Mon, 25 May 2020 16:37:33 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f45.google.com (mail-io1-f45.google.com [209.85.166.45]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49W2nS1kCJz477n for ; Mon, 25 May 2020 16:37:32 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io1-f45.google.com with SMTP id r2so8806037ioo.4 for ; Mon, 25 May 2020 09:37:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zzwY8qpVZOxQZdIx/jQycGbI6aUKuRQVyGnFwviEk6g=; b=U4g3KmxcTcTAL4ckKPInrVadaARKqI7Kmp2AO1bOBgKscqc/+ctX9HA3qSebXnSm0M mdMUFqMoW/WewREE4YQsJO2KHGoI4OY2B35a1hoNFzTqWyehAWP8G2QsO/RLcIle2OAP hJCEvj/4KXW8uckqOo/NJXY3cb5Gl+e/7H4keNL++yR7MoefvtxOsxX9WOV4IdnLs2vV qrhwlzxXP1CuDyEApoPz8M95mof1b43NcOP6g9/4enr3lVbGpYPBSOlwAfJozqq96FzN UmG4vBzAKqOOYqZMpekGj0tYqMR9GfYQydydcX4+zLkz0FeD05ndDAxo7P1tw8DbQndL QiXQ== X-Gm-Message-State: AOAM532uTOacmrIjI+d0wJhvqdUgEYhAHe7sikaSa015/AbuOrjWzc4C ou4hG2YnMYsrCMXK4RnpxnUdd+F2xRBYi7G6d7CrxUMhCt0= X-Google-Smtp-Source: ABdhPJycDPLN/hMTXQr+a7aFMoGMae6C0qw9OD8GA9sCeCUSnEkyJe9SOBkALLz3jvTahq8S+BLPZpMjz1FUM7XBH2o= X-Received: by 2002:a5d:824c:: with SMTP id n12mr14046420ioo.15.1590424651176; Mon, 25 May 2020 09:37:31 -0700 (PDT) MIME-Version: 1.0 References: <1641188.rRC0nNcZtX@amos> In-Reply-To: <1641188.rRC0nNcZtX@amos> From: Ed Maste Date: Mon, 25 May 2020 12:37:19 -0400 Message-ID: Subject: Re: Malicious root user sandboxing To: ihor@antonovs.family Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 49W2nS1kCJz477n X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.45 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.14 / 15.00]; RCVD_TLS_ALL(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; NEURAL_HAM_LONG(-0.98)[-0.976]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.15)[-1.151]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.45:from]; NEURAL_HAM_MEDIUM(-1.01)[-1.014]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.45:from]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2020 16:37:33 -0000 On Sat, 16 May 2020 at 20:02, Ihor Antonov wrote: > > Hello FreeBSD Community, > > I am looking for possible options to sandbox an untrusted application that > runs with root privileges. > > I can't use Jails or Capsicum as modification of the application is outside of > the scope of my task and application needs to share the file system with > some other applications. (several applications use PAM to authenticate > users and they all have to have the same set of users, and I want > to avoid duplicating system users across jails) > > For this write up I will use opensmptd server as an example application, > but there are many more examples that fit the usecase. Is the application dynamically linked? If so it's possible to do "oblivious sandboxing" with Capsicum. There's a proof of concept in the "Super Capsicumizer 9000" - https://github.com/myfreeweb/capsicumizer. It builds on libpreopen from MUN which handles filesystem access. This is not something that will work "out of the box" today for your application, but is an area of active interest that could benefit from a motivating use case. With some development work (using the approach of capsicumizer + libpreopen) it could be the basis for a quality sandbox. > 1) Application should only be able to listen and talk to TCP port 25. > Initiating connections to other TCP ports and other address families > must be prevented. This would be net new work, intercepting connect(2), accept(2) and such, passing the args to a socket service, and returning the fd. > 2) Application should only have write access to a specific directory, the > rest of the filesystem must be seen by the application as read-only. Capsicumizer + libpreopen is most of the way there now. A little work would be needed to extend it to support different permissions per directory group. > 3) Application should not be able to change it's login class. This is inherent in capability mode. > 4) Application should not be able to escape the sandbox by forking a child > process. Capsicum does not address this, but the child starts in capability mode and inherits the same sandbox restrictions. The real need then is for comprehensive resource limits. > 5) Application's resource usage must be limited. > > 6) Application should not be able to shake-off resource limits by forking > a child or changing login class. This probably needs some rctl improvements. > 7) Application should not be able to change system configuration, load/unload > kernel modules, modify firewall rules. > > 8) Application should not be able to create new system users, > or change passwords of existing users These are inherent in capability mode.