From nobody Thu Sep 28 13:27:50 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RxDn24nbKz4tmkM for ; Thu, 28 Sep 2023 13:27:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RxDn24HxMz3Ng1; Thu, 28 Sep 2023 13:27:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1695907670; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4WcpzpNAiZipbJcrDqKD/e5Sfev1qKF1YTS4aLebFc0=; b=DJOJukUWnAuudj9JNDbBthZ5tgGxpnIu1jNgZ8pPOLu1GsZGzBUpPKs6pRIK7QV9if2TaA fBDHIF136cTR8hTtJGt5n8UVgLFzu+n2jBRyqniGs2B6EvASjA+ckbbchPlLwDnDq7C/WG 011IJMVrcLqzptZTgrJRpTaCFwAVIWjtYl39tKpZoqB+7g8zDmW6UmuqHyLmHYka7XE7No 8Mx7i8b38bHfcJkwk02JPKOXZ416ebihzjvyyJXOleZ6c2r6Rwo0NdJt0uZY+KeA91tRwO i/ataG5s7y5WtaQa7xs6GLVAMVnIOQPKfbtoY4yYprujRyHJrnQhORYz40dgNA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1695907670; a=rsa-sha256; cv=none; b=qYLlKStGZCRGQxsRfdG4JOpJ5sMBDOFSLMFs5WZYhh56Gk0RJdkQgyfbECrcIhknvbD12P gb7cvzay6z6aGqfyeYsYIXGlVT1Ayrzm03xyVwEhsaizAgQ1ECLz45AVnfwJ9CmfWf5lwh t045Fy0p/g7o7YCp84cVOmlQqb9rGg6YXM2/OhJi9WrnMyInGeFTR+aL2zYqhwxJUL63GL MuXFhBgULD+q1maRL3Npo7GFXEo1+fVRLZYCYNBCt5x6vajdHxjkovmqm78xNFBJWSx4+N Eb2TphQDWLIG8Vz/clU0NcEOehmJJ40BGBwfAsCe9vA6gpt8UMRbtwHK2231DQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1695907670; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4WcpzpNAiZipbJcrDqKD/e5Sfev1qKF1YTS4aLebFc0=; b=nz1GlBZFak8qej8Rx19N1tEh9W8uvhSP//An5TvZxmhxlcYNVs2gFbSOUWa0nKXMJbIcjS W65ARFoNBEspEuASOTD5CZw5HEeGJ/+mIv6HyBdH0PEGwblsBerMQB1X7LOHNru9Vq76oA ACWBDrbrOfWTN4J2uqMELezpG00Qi6Y0CiRvHosNGtNy5HCW6VcA6jbWE6hv0NuU3rNwsw qW1GogerKwaxo8hSa+IdpUdPdsSTboyHS9eP3ReaVUAl0VagPuUiSsqaEr+3uldfYU56DU 3Vpbbd7zUkeutWRLef16R737BXUVQFa4xZzgPzUN3XkTQN45/uR4ZFDGuD1row== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RxDn23MHjz8MN; Thu, 28 Sep 2023 13:27:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 38SDRoHj071970; Thu, 28 Sep 2023 13:27:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 38SDRoQ1071967; Thu, 28 Sep 2023 13:27:50 GMT (envelope-from git) Date: Thu, 28 Sep 2023 13:27:50 GMT Message-Id: <202309281327.38SDRoQ1071967@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Lorenzo Salvadore Subject: git: df0a1f7054 - main - Status/2023Q3/process_visibility.adoc: Add report List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: salvadore X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: df0a1f7054935dfbfc2cd7d78721e4512be20828 Auto-Submitted: auto-generated The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=df0a1f7054935dfbfc2cd7d78721e4512be20828 commit df0a1f7054935dfbfc2cd7d78721e4512be20828 Author: Olivier Certner AuthorDate: 2023-09-28 12:40:42 +0000 Commit: Lorenzo Salvadore CommitDate: 2023-09-28 12:42:18 +0000 Status/2023Q3/process_visibility.adoc: Add report Differential Revision: https://reviews.freebsd.org/D41990 --- .../report-2023-07-2023-09/process_visibility.adoc | 49 ++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc b/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc new file mode 100644 index 0000000000..bbb29cab20 --- /dev/null +++ b/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc @@ -0,0 +1,49 @@ +=== Process Visibility Security Policies + +Links: + +link:https://reviews.freebsd.org/D40626[Start of the reviews stack] URL: link:https://reviews.freebsd.org/D40626[] + +Contact: Olivier Certner + +==== Context + +FreeBSD implements three built-in security policies that limit which processes are visible to particular users, with the goal of preventing information leaks and unwanted interactions. + +The first one can prevent an unprivileged user from seeing or interacting with processes that do not have the user's UID as their real UID. +It can be activated by setting the sysctl `security.bsd.see_other_uids` to 0 (default is 1). + +The second one can prevent an unprivileged user from seeing or interacting with processes whose credentials do not have any group that the user is a member of. +It can be activated by setting the sysctl `security.bsd.see_other_gids` to 0 (default is 1). + +The third one can prevent an unprivileged user's process from seeing or interacting with processes that are in a jail that is a strict sub-jail of the former. +The jail subsystem already prevents such a process to see processes in jails that are not descendant of its own (see man:jail[8] and in particular the section "Hierarchical Jails"). +One possible use of this policy is, in conjunction with the first one above, to hide processes in sub-jails that have the same real UID as some user in an ancestor jail because users having identical UIDs in these different jails are logically considered as actually different users. +It can be activated by setting the sysctl `security.bsd.see_jail_proc` to 0 (default is 1). + +After a review of these policies' code and real world testing, we noticed a number of problems and limitations which prompted us to work on this topic. + +==== Changes + +The policy controlled by the `security.bsd.see_jail_proc` sysctl has received the following fixes and improvements: + +- Harden the security.bsd.see_jail_proc policy by preventing unauthorized users from attempting to kill, change priority of or debug processes with same (real) UID in a sub-jail at random, which, provided the PID of such a process is guessed correctly, would succeed even if these processes are not visible to them. +- Make this policy overridable by MAC policies, as are the other ones. + +The policy controlled by `security.bsd.see_other_gids` was fixed to consider the real group of a process instead of its effective group when determining whether the user trying to access the process is a member of one of the process' groups. +The rationale is that some user should continue to see processes it has launched even when they acquire further privileges by virtue of the setgid bit. +Conversely, they should not see processes launched by a privileged user that temporarily enters the user's primary group. +This new behavior is consistent with what `security.bsd.see_other_uids` has always been doing for user IDs (i.e., considering some process' real user ID and not the effective one). + +We have updated manual pages related to these security policies, including man:security[7], man:sysctl[8], and man:ptrace[2]. +Several manual pages of internal functions either implementing or leveraging these policies have also been revamped. + +==== Status + +Thanks to the help of mailto:mhorne@FreeBSD.org[Mitchell Horne], mailto:pauamma@gundo.com[Pau Amma], mailto:bcr@FreeBSD.org[Benedict Reuschling] and mailto:emaste@FreeBSD.org[Ed Maste], most of the submitted changes have been reviewed and approved, so they should reach the tree soon. +The patch series starts with https://reviews.freebsd.org/D40626[review D40626]. +From there, click on the "Stack" tab to see the full list of reviews implementing the changes. + +As a later step, we are considering turning the `security.bsd.see_jail_proc` policy on by default (i.e., the default value of the sysctl would become 0) unless there are objections. + +Sponsor: Kumacom SAS (for development work) + +Sponsor: The FreeBSD Foundation (for most of the reviews)