git: df0a1f7054 - main - Status/2023Q3/process_visibility.adoc: Add report

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Lorenzo Salvadore <salvadore_at_FreeBSD.org>
Date: Thu, 28 Sep 2023 13:27:50 UTC
The branch main has been updated by salvadore:

URL: https://cgit.FreeBSD.org/doc/commit/?id=df0a1f7054935dfbfc2cd7d78721e4512be20828

commit df0a1f7054935dfbfc2cd7d78721e4512be20828
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-09-28 12:40:42 +0000
Commit:     Lorenzo Salvadore <salvadore@FreeBSD.org>
CommitDate: 2023-09-28 12:42:18 +0000

    Status/2023Q3/process_visibility.adoc: Add report
    
    Differential Revision: https://reviews.freebsd.org/D41990
---
 .../report-2023-07-2023-09/process_visibility.adoc | 49 ++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc b/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc
new file mode 100644
index 0000000000..bbb29cab20
--- /dev/null
+++ b/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc
@@ -0,0 +1,49 @@
+=== Process Visibility Security Policies
+
+Links: +
+link:https://reviews.freebsd.org/D40626[Start of the reviews stack] URL: link:https://reviews.freebsd.org/D40626[]
+
+Contact: Olivier Certner <olce.freebsd.statusreports@certner.fr>
+
+==== Context
+
+FreeBSD implements three built-in security policies that limit which processes are visible to particular users, with the goal of preventing information leaks and unwanted interactions.
+
+The first one can prevent an unprivileged user from seeing or interacting with processes that do not have the user's UID as their real UID.
+It can be activated by setting the sysctl `security.bsd.see_other_uids` to 0 (default is 1).
+
+The second one can prevent an unprivileged user from seeing or interacting with processes whose credentials do not have any group that the user is a member of.
+It can be activated by setting the sysctl `security.bsd.see_other_gids` to 0 (default is 1).
+
+The third one can prevent an unprivileged user's process from seeing or interacting with processes that are in a jail that is a strict sub-jail of the former.
+The jail subsystem already prevents such a process to see processes in jails that are not descendant of its own (see man:jail[8] and in particular the section "Hierarchical Jails").
+One possible use of this policy is, in conjunction with the first one above, to hide processes in sub-jails that have the same real UID as some user in an ancestor jail because users having identical UIDs in these different jails are logically considered as actually different users.
+It can be activated by setting the sysctl `security.bsd.see_jail_proc` to 0 (default is 1).
+
+After a review of these policies' code and real world testing, we noticed a number of problems and limitations which prompted us to work on this topic.
+
+==== Changes
+
+The policy controlled by the `security.bsd.see_jail_proc` sysctl has received the following fixes and improvements:
+
+- Harden the security.bsd.see_jail_proc policy by preventing unauthorized users from attempting to kill, change priority of or debug processes with same (real) UID in a sub-jail at random, which, provided the PID of such a process is guessed correctly, would succeed even if these processes are not visible to them.
+- Make this policy overridable by MAC policies, as are the other ones.
+
+The policy controlled by `security.bsd.see_other_gids` was fixed to consider the real group of a process instead of its effective group when determining whether the user trying to access the process is a member of one of the process' groups.
+The rationale is that some user should continue to see processes it has launched even when they acquire further privileges by virtue of the setgid bit.
+Conversely, they should not see processes launched by a privileged user that temporarily enters the user's primary group.
+This new behavior is consistent with what `security.bsd.see_other_uids` has always been doing for user IDs (i.e., considering some process' real user ID and not the effective one).
+
+We have updated manual pages related to these security policies, including man:security[7], man:sysctl[8], and man:ptrace[2].
+Several manual pages of internal functions either implementing or leveraging these policies have also been revamped.
+
+==== Status
+
+Thanks to the help of mailto:mhorne@FreeBSD.org[Mitchell Horne], mailto:pauamma@gundo.com[Pau Amma], mailto:bcr@FreeBSD.org[Benedict Reuschling] and mailto:emaste@FreeBSD.org[Ed Maste], most of the submitted changes have been reviewed and approved, so they should reach the tree soon.
+The patch series starts with https://reviews.freebsd.org/D40626[review D40626].
+From there, click on the "Stack" tab to see the full list of reviews implementing the changes.
+
+As a later step, we are considering turning the `security.bsd.see_jail_proc` policy on by default (i.e., the default value of the sysctl would become 0) unless there are objections.
+
+Sponsor: Kumacom SAS (for development work) +
+Sponsor: The FreeBSD Foundation (for most of the reviews)