git: aefe30c54371 - main - cat: capsicumize it

Shawn Webb shawn.webb at hardenedbsd.org
Sun Jan 17 00:09:44 UTC 2021 

Also to note: Something about this change causes a kernel panic under
heavy load (poudriere running 20 jobs with poudriere configured to use
tmpfs for the entire job).

Screenshot of kernel panic:
https://photos.app.goo.gl/dXBpW7sbn1iWQaJj9

On Sun, Jan 17, 2021 at 01:03:25AM +0100, Mariusz Zaborski wrote:
> Thank you for raising your concerns. We discussed that, and for now,
> we will disable sandboxing in the cat. We will try to measure where
> the bottlenecks are and try to address them.
> 
> We should try to sandbox even as simple tools like cat or tail, but not for any
> cost. If we have a high cost, we may explore other ways of doing it.
> 
> On Sat, 16 Jan 2021 at 16:10, Cy Schubert <Cy.Schubert at cschubert.com> wrote:
> >
> > In message <202101161448.10GEmuI4095908 at mail.karels.net>, Mike Karels
> > writes:
> > > Mateusz wrote:
> > > > I have to strongly disagree with this change.
> > >
> > > > truss -f cat /etc/motd immediately reveals most peculiar overhead
> > > > which comes with it.
> > >
> > > > Some examples:
> > > > - pdfork is called 3 times and fork 1 time, spawning 4 processes in total
> > > > - the file is opened twice:
> > > >  5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00)  = 5 (0x5)
> > > >  5548: cap_rights_limit(5,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0)
> > > >  5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00)  = 7 (0x7)
> > > >  5548: cap_rights_limit(7,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0)
> > > > - there is an enormous number of sendto/recvfrom instead of everything
> > > > happening in just one go
> > >
> > > > Key points:
> > > > - the functionality provided by casper definitely induces way more
> > > > overhead than it should.
> > > > - regardless of the above, I find patching tools like tail and cat in
> > > > this manner to be highly questionable. Ultimately whatever security
> > > > may or may not have been gained it always have to be gauged against
> > > > actual impact and it does not look it is worth it in this case.
> > >
> > > > Even if someone was to put cat in capability mode, for something as
> > > > trivial a opening one file, cat could just do it without all the other
> > > > overhead and then enter the sandbox.
> > >
> > > > That said, I think this change (and possibly similar changes to other
> > > > tooling) should be reverted. Regardless of what happens here, casper
> > > > needs a lot of work before it is deemed usable.
> > >
> > > > My $0,03.
> > >
> > > I also question this change.  Using capsicum makes sense for something
> > > like tcpdump, which usually runs as root, uses privileged facilities,
> >
> > tcpdump can drop its privileges. Various Linux distros and vendors do this.
> > I have a patch in my tree that will do this.
> >
> > > and interprets external data that could potentially subvert it in the
> > > worst case.  It also has a fairly high startup cost that can be amortized
> > > over its runtime.  Cat is nothing like this, so I wonder what the motivation
> > > was for the change.  It's not obvious to me that there is any significant
> > > value in capsicumizing, and there are obviously significant costs.
> >
> > Agreed.
> >
> > >
> > >               Mike
> >
> >
> > --
> > Cheers,
> > Cy Schubert <Cy.Schubert at cschubert.com>
> > FreeBSD UNIX:  <cy at FreeBSD.org>   Web:  https://FreeBSD.org
> > NTP:           <cy at nwtime.org>    Web:  https://nwtime.org
> >
> >         The need of the many outweighs the greed of the few.
> >
> >
> > >
> > > > On 1/15/21, Mariusz Zaborski <oshogbo at freebsd.org> wrote:
> > > > > The branch main has been updated by oshogbo:
> > > > >
> > > > > URL:
> > > > > https://cgit.FreeBSD.org/src/commit/?id=aefe30c5437159a5399bdbc1974d6fbf4
> > > 0f2ba0f
> > > > >
> > > > > commit aefe30c5437159a5399bdbc1974d6fbf40f2ba0f
> > > > > Author:     Mariusz Zaborski <oshogbo at FreeBSD.org>
> > > > > AuthorDate: 2021-01-15 20:22:29 +0000
> > > > > Commit:     Mariusz Zaborski <oshogbo at FreeBSD.org>
> > > > > CommitDate: 2021-01-15 20:23:42 +0000
> > > > >
> > > > >     cat: capsicumize it
> > > > >
> > > > >     Reviewed by:    markj, arichardson
> > > > >     Differential Revision:  https://reviews.freebsd.org/D28083
> > > <snip>
> > >
> > >
> >
> >
> _______________________________________________
> dev-commits-src-all at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
> To unsubscribe, send any mail to "dev-commits-src-all-unsubscribe at freebsd.org"

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

GPG Key ID:          0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/dev-commits-src-all/attachments/20210116/6b0b8d14/attachment.sig>

More information about the dev-commits-src-all mailing list