capsicum and ping(8)

mp39590 at gmail.com mp39590 at gmail.com
Thu Jan 9 16:19:17 UTC 2014 

Hello.

I would like to propose a patch for ping(8), which adds support for
capability mode sandbox.

The goals for this little project were:

a) to see what problems/burdens could be faced with compartmentalization
   of a network utility;

b) increase security level of the day-to-day application with minimal
   intrusion to the code.

To summarize on 'a)', following changes were made in original ping to
meet capsicum requirements:

1) sendto() was replaced with connect()+send() pair, since we're not
   allowed to issue sendto() with non-NULL destination;

2) one socket 's' was replaced with two sockets 's' for sending and 's1'
   for receiving. It was done for special use case, when user ping
   multicast or broadcast address. As connect() man page states, socket
   is allowed to receive messages only from address to which it was
   connect()'ed and this is nonsense for multicast/broadcast;

3) pr_addr() function has been slightly rewritten to support casper
   daemon and its cap_gethostbyaddr() function;

4) some setsockopts() were adjusted, since we use two sockets instead of
   one.

Place for cap_enter() call was chosen to balance simplicity of the logic
for entering capability mode, code changes and protection from
potentially dangerous place (receiving/"parsing" packets from the
network).

Finally, this compartmentalization logic will apply:

 - If '-n' (numeric output) flag is given - enter capability mode;

 - Else, if build WITH_CASPER: try to communicate with it, on fail issue
   warning and proceed without capsicum, if cap_init() is successful all
   other casper errors (e. g. not being able to initialize DNS services)
   treated as fatal and ping aborts;

 - Else, if build WITHOUT_CASPER: proceed without capsicum.

Also, please note, that ping has '-d' flag, which turn on SO_DEBUG
setsockopt() and its behavior depends on external code (which also
doesn't exist not, but could be written in future). If we enter capsicum
with this option (although, I'm sure it's not widely used) this (future)
external code may not work completely, since capsicum impose a lot of
restrictions.

I would like to ask your comments/reviews on this patch and approach.

Thanks to Gleb Smirnoff, Pawel Jakub Dawidek and Robert Watson for
helping me with some tricky capsicum things, which I tried to summarize
here.

Be well.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping_20140109.patch
Type: text/x-diff
Size: 9052 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140109/fe05b9b4/attachment.patch>

More information about the freebsd-security mailing list