From owner-freebsd-security@FreeBSD.ORG Sat Jun 8 22:33:52 2013 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D62FA5BF; Sat, 8 Jun 2013 22:33:52 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 8A9E3174B; Sat, 8 Jun 2013 22:33:49 +0000 (UTC) Received: from localhost (89-73-195-149.dynamic.chello.pl [89.73.195.149]) by mail.dawidek.net (Postfix) with ESMTPSA id 6D6CEC6E; Sun, 9 Jun 2013 00:29:21 +0200 (CEST) Date: Sun, 9 Jun 2013 00:33:46 +0200 From: Pawel Jakub Dawidek To: freebsd-security@FreeBSD.org Subject: Request for review: Sandboxing dhclient using Capsicum. Message-ID: <20130608223346.GA2468@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e" Content-Disposition: inline X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: brooks@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jun 2013 22:33:52 -0000 --cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. I have a series of patches to sandbox dhclient using Capsicum (capability mode and capability rights for descriptors). As usual, because chroot and setgid/setuid are not sandboxing mechanisms, there are many problems with the current sandboxing: - Access to various global namespaces (like process list, network, etc.). - Access to RAW UDP socket. - Read/write access to bpf. - Access to RAW route socket, which means it can delete, modify or add static routes as it pleases. After the changes RAW route socket is limited to reading only, write-only bpf descriptor and RAW UDP sockets are moved to privileged process and eventhough unprivileged process controls destination addresses still, it cannot change port for example. There is no access to global namespaces anymore. All descriptors used by unprivileged process are limited using capability rights (just in case, not really crucial): - Descriptor to lease file allows for overwrite only, but doesn't allow for other stuff, like reading, fchmod, etc. - Descriptor to pidfile has no rights, it is just being kept open. - STDIN descriptor has no rights. - STDOUT and STDERR descriptors are limited to write only. The patches are here. Every change has individual description: http://people.freebsd.org/~pjd/patches/dhclient_capsicum.patches I'd appreciate any review, especially security audit of the proposed changes. The new and most critical function is probably send_packet_priv(). --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlGzsUoACgkQForvXbEpPzSZtwCbBfqaVjVF5ZOziEHeAGDXltGt KpEAoNOLgRpOFGYh7gz33Gi2lHbNZV3U =l7P5 -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e--