Auto-jailing of services - 2nd implementation

Reply: FreeBSD User : "Re: Auto-jailing of services - 2nd implementation"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Alexander Leidinger <Alexander_at_leidinger.net>
Date: Sun, 03 Apr 2022 19:48:42 UTC

Hi,

attached is a new implementation of service jails (auto-jailing of  
services). This one now supports rc command prefixes (e.g. onestart)  
and I tested it in nested jails. The benefit of auto-jailing services  
is, that you can apply some restrictions to services (and what other  
processes it may see). If your service requires access to network but  
not sysvipc, and it doesn't run as root, it can be limited to network  
access with or without raw sockets, filesystem-permitted files, and  
doesn't see other processes on the system.

For a few services I have added the required "svcj-config" in the  
start scripts (e.g. network access for syslog by setting  
syslogd_svj_options=net_basic).

Possible svcj config options for service jails:
+				netv4)
+					_svcj_cmd_options="ip4=inherit allow.reserved_ports  
${_svcj_cmd_options}"
+					;;
+				netv6)
+					_svcj_cmd_options="ip6=inherit allow.reserved_ports  
${_svcj_cmd_options}"
+					;;
+				net_basic)
+					_svcj_cmd_options="ip4=inherit ip6=inherit allow.reserved_ports  
${_svcj_cmd_options}"
+					;;
+				net_raw)
+					_svcj_cmd_options="allow.raw_sockets ${_svcj_cmd_options}"
+					;;
+				net_all)
+					_svcj_cmd_options="allow.socket_af allow.raw_sockets  
allow.reserved_ports ip4=inherit ip6=inherit ${_svcj_cmd_options}"
+					;;
+				sysvipc)
+					_svcj_cmd_options="sysvmsg=inherit sysvsem=inherit  
sysvshm=inherit  ${_svcj_cmd_options}"
+					;;
+				mlock)
+					_svcj_cmd_options="allow.mlock ${_svcj_cmd_options}"
+					;;
+				vmm)
+					_svcj_cmd_options="allow.vmm ${_svcj_cmd_options}"

By setting syslogd_svcj="YES" in rc.conf your syslogd will be started  
in a jail which inherits the full filesystem and the ipv4 and ipv6  
addresses of the parent.

It would be nice if interested people could experiment a little bit  
with this, e.g. adding name_svcj_options="X Y" from above and  
name_svcj="YES" into rc.conf and see if it works. Note, doing that for  
sshd doesn't make sense in the generic case, it wouldn't see your  
jails. It may make sense for services.

Any kind of feedback and tested name_svcj_options submissions welcome...

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF