From nobody Sun May 15 10:49:06 2022 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E71081ADD56D for ; Sun, 15 May 2022 10:49:19 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp5.goneo.de (smtp5.goneo.de [85.220.129.30]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4L1JzL5KTnz3qxg; Sun, 15 May 2022 10:49:18 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from hub2.goneo.de (hub2.goneo.de [IPv6:2001:1640:5::8:53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by smtp5.goneo.de (Postfix) with ESMTPS id F251E10A1E88; Sun, 15 May 2022 12:49:10 +0200 (CEST) Received: from hub2.goneo.de (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by hub2.goneo.de (Postfix) with ESMTPS id 55CC910A32FA; Sun, 15 May 2022 12:49:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de; s=DKIM001; t=1652611749; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=l9W1k3fmyi+i2clen4SmR5yTkbjh6qx+QJV4x78niT8=; b=rwAJZRKj2Qt6SHg3SuOrKaMdg4l9NcgfF4pbTMkQNM/6uZNUEigm+7phKqKeLSBGozQMsx rAQWld9AlK+IYuPXtl+HkiDWGYt9hq48isaNujm/dp9HyfZZR9gTds5/ZauXA32NprhBLm MSDo1Usjoep8cyfC8Y2QfaEL2nvIaOTUssmdFSmL+e7KV974s49U8a/qsgAU/gejSUefpN BPJt628ZAzgi79ybTUidhXoFJoUNdVmdvmLVJqjDKklO7HvnzexhvloVpGZA8veziv+gbk 6tDla0PuKfZi7DCEtwH4uvQlnj4mKjBtW42/qk9Pl7oE5NvOKn7jFFKaMvA4Ug== Received: from hermann (dynamic-2a01-0c23-64b5-f700-711a-9937-bc6c-d4d8.c23.pool.telefonica.de [IPv6:2a01:c23:64b5:f700:711a:9937:bc6c:d4d8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by hub2.goneo.de (Postfix) with ESMTPSA id 1C0A710A3317; Sun, 15 May 2022 12:49:09 +0200 (CEST) Date: Sun, 15 May 2022 12:49:06 +0200 From: FreeBSD User To: Alexander Leidinger Cc: security@freebsd.org, jail@freebsd.org Subject: Re: Auto-jailing of services - 2nd implementation Message-ID: <20220515124900.44aac19b@hermann> In-Reply-To: <20220403214842.Horde.vlwSVh0KOZ6sL7aDfgA9KKL@webmail.leidinger.net> References: <20220403214842.Horde.vlwSVh0KOZ6sL7aDfgA9KKL@webmail.leidinger.net> List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-UID: 1c959e X-Rspamd-UID: c95153 X-Rspamd-Queue-Id: 4L1JzL5KTnz3qxg X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=rwAJZRKj; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd@walstatt-de.de has no SPF policy when checking 85.220.129.30) smtp.mailfrom=freebsd@walstatt-de.de X-Spamd-Result: default: False [0.07 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[walstatt-de.de]; NEURAL_SPAM_MEDIUM(0.04)[0.040]; NEURAL_SPAM_SHORT(0.93)[0.928]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[walstatt-de.de:+]; MLMMJ_DEST(0.00)[jail]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_NOT_FQDN(0.50)[]; ASN(0.00)[asn:25394, ipnet:85.220.128.0/17, country:DE]; RCVD_TLS_ALL(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[85.220.129.30:from] X-ThisMailContainsUnwantedMimeParts: N On Sun, 03 Apr 2022 21:48:42 +0200 Alexander Leidinger wrote: > Hi, > > attached is a new implementation of service jails (auto-jailing of > services). This one now supports rc command prefixes (e.g. onestart) > and I tested it in nested jails. The benefit of auto-jailing services > is, that you can apply some restrictions to services (and what other > processes it may see). If your service requires access to network but > not sysvipc, and it doesn't run as root, it can be limited to network > access with or without raw sockets, filesystem-permitted files, and > doesn't see other processes on the system. > > For a few services I have added the required "svcj-config" in the > start scripts (e.g. network access for syslog by setting > syslogd_svj_options=net_basic). > > Possible svcj config options for service jails: > + netv4) > + _svcj_cmd_options="ip4=inherit > allow.reserved_ports ${_svcj_cmd_options}" > + ;; > + netv6) > + _svcj_cmd_options="ip6=inherit > allow.reserved_ports ${_svcj_cmd_options}" > + ;; > + net_basic) > + _svcj_cmd_options="ip4=inherit ip6=inherit > allow.reserved_ports ${_svcj_cmd_options}" > + ;; > + net_raw) > + _svcj_cmd_options="allow.raw_sockets > ${_svcj_cmd_options}" > + ;; > + net_all) > + _svcj_cmd_options="allow.socket_af > allow.raw_sockets allow.reserved_ports ip4=inherit ip6=inherit ${_svcj_cmd_options}" > + ;; > + sysvipc) > + _svcj_cmd_options="sysvmsg=inherit > sysvsem=inherit sysvshm=inherit ${_svcj_cmd_options}" > + ;; > + mlock) > + _svcj_cmd_options="allow.mlock > ${_svcj_cmd_options}" > + ;; > + vmm) > + _svcj_cmd_options="allow.vmm > ${_svcj_cmd_options}" > > By setting syslogd_svcj="YES" in rc.conf your syslogd will be started > in a jail which inherits the full filesystem and the ipv4 and ipv6 > addresses of the parent. > > It would be nice if interested people could experiment a little bit > with this, e.g. adding name_svcj_options="X Y" from above and > name_svcj="YES" into rc.conf and see if it works. Note, doing that for > sshd doesn't make sense in the generic case, it wouldn't see your > jails. It may make sense for services. > > Any kind of feedback and tested name_svcj_options submissions welcome... > > Bye, > Alexander. > Hello Alexander Leidinger, is this really interesting feature already part of recent CURRENT rc subsystem or do I have to "patch" CURRENT with the rc script provided by some place first to obtain the functionality you are talking here about? Thanks in advance and kind regards O. Hartmann p.s. would it be possible toput as service with a dedicated network interfacing (say, jailed vnet/vlan, forinstance an asterisk service running on a small router appliance, as we do in our projects?).