Request for review: Sandboxing dhclient using Capsicum.
Pawel Jakub Dawidek
pjd at FreeBSD.org
Sat Jun 8 22:33:52 UTC 2013
Hi.
I have a series of patches to sandbox dhclient using Capsicum
(capability mode and capability rights for descriptors).
As usual, because chroot and setgid/setuid are not sandboxing
mechanisms, there are many problems with the current sandboxing:
- Access to various global namespaces (like process list, network, etc.).
- Access to RAW UDP socket.
- Read/write access to bpf.
- Access to RAW route socket, which means it can delete, modify or add
static routes as it pleases.
After the changes RAW route socket is limited to reading only,
write-only bpf descriptor and RAW UDP sockets are moved to privileged
process and eventhough unprivileged process controls destination
addresses still, it cannot change port for example. There is no access
to global namespaces anymore. All descriptors used by unprivileged
process are limited using capability rights (just in case, not really
crucial):
- Descriptor to lease file allows for overwrite only, but doesn't allow
for other stuff, like reading, fchmod, etc.
- Descriptor to pidfile has no rights, it is just being kept open.
- STDIN descriptor has no rights.
- STDOUT and STDERR descriptors are limited to write only.
The patches are here. Every change has individual description:
http://people.freebsd.org/~pjd/patches/dhclient_capsicum.patches
I'd appreciate any review, especially security audit of the proposed
changes. The new and most critical function is probably send_packet_priv().
--
Pawel Jakub Dawidek http://www.wheelsystems.com
FreeBSD committer http://www.FreeBSD.org
Am I Evil? Yes, I Am! http://mobter.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20130609/55f938b7/attachment.sig>
More information about the freebsd-security
mailing list