From nobody Sun Apr 17 15:26:50 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 252F411D0735 for ; Sun, 17 Apr 2022 15:26:55 +0000 (UTC) (envelope-from theraven@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KhDSb08LVz3r3n; Sun, 17 Apr 2022 15:26:55 +0000 (UTC) (envelope-from theraven@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1650209215; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CtK3RB4GGcofiAgaMXVXBZQOFYy10Tf/uVnZEUuYxRQ=; b=g+ffFxLOd7w31dmp/feKVRrLOSN1yIB2EdJ6sqGZsl5hAzlinuuwg/GAb23xbgSuZL4Eb7 a/SBkyqxentVjSi2N/SMAJzzIs9rN18qmMXJNo+BQPFw2mCSYV08CYyek21BuVIMx8H9h5 cZ8jjAL6urNMzwbA+GgdjpSaCzfP+S1LbdPitAlynhXV/55nb4PXQPXdRQ//v492BYjpxX J9/dvnB4pN3d19u17VbTvQZLlj8PMEjdn6FFPaC2/35mzq0Cvld0J0B/l8SCdKpGNyVRUU jRigoQ8sV+ZZzxJ6u+2Ks4mrYU4D3+E0tFuCMkCqNbRX/L7evOXUTxJpj94aQA== Received: from smtp.theravensnest.org (smtp.theravensnest.org [45.77.103.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: theraven) by smtp.freebsd.org (Postfix) with ESMTPSA id D39AE20B5C; Sun, 17 Apr 2022 15:26:54 +0000 (UTC) (envelope-from theraven@FreeBSD.org) Received: from smtpclient.apple (host86-134-184-31.range86-134.btcentralplus.com [86.134.184.31]) by smtp.theravensnest.org (Postfix) with ESMTPSA id 47A18305E5; Sun, 17 Apr 2022 16:26:53 +0100 (BST) Content-Type: text/plain; charset=utf-8 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: Linux capabilities to Capsicum From: David Chisnall In-Reply-To: Date: Sun, 17 Apr 2022 16:26:50 +0100 Cc: freebsd-hackers@freebsd.org, Elena Mihailescu , =?utf-8?Q?=C8=98endre_Mihai-Alin?= , Darius MIHAI Content-Transfer-Encoding: quoted-printable Message-Id: References: To: George Diaconu X-Mailer: Apple Mail (2.3654.120.0.1.13) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1650209215; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CtK3RB4GGcofiAgaMXVXBZQOFYy10Tf/uVnZEUuYxRQ=; b=IFy0P8dCzth6fmMkpM+N6y+Wuwww4ZeF/15rhUf07Vv0T/kpToYgLuZRakWlJ2YY/AZ5nr //LXw0jlLhd2mbZdCiml7bPKwpBhhLALG2zuoFgvR7x7iuE5nfa8EYY7IWkX7E2LDQEKtj WDmJbjbPVonydHa1kwxsiint+Eq2jtOzw5z8M55u0O2ynwYpHgLSTT5TNd68QnRQiK8HGH 74kC7H0+n9uv+3q/r7z+2az+RNSTfIe9oJCgQ03ZWwM9rh3Gcs0SUjYs3N0/WbmKv8XlsY z052SL0TUG+6AxKM+yS9pvPV/eqo62zSkDQRL3pTLjhuqSB2zuzutq90ZYaOzw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1650209215; a=rsa-sha256; cv=none; b=QgyQBhF8qoSIkQCOuk1FODpcBjmvSnAyKaLSGA27OTuOjyTyuSho3UqXkISLnSFJDpXWjs sjQXvUanC6lfzrpMLRp9F1MC/RAoVugserDW/N1K8/O7HvKoLUnocrEr5USCBSsenlK5eX euiXdvAoTLgMFEj9y/J621KMznbRyFoclmRPEbf9bkrMKfwl3Hs51DTIdZtE2Ncp+gstYP l2vC8TEznbExdkWmWFGBSR1wjfK+FOYb7R8xxDa+EU2w3FL8s/kpt8ivV8cXpW2Zni+Go7 2t5sJp3z6hC45TgXDuNUP6U9mzgD/6njKdhOs2aHhSg4K/QhfWA6jeMaxLe+rA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N Hi, I don=E2=80=99t think you=E2=80=99ll have much luck trying to map Linux = capabilities to Capsicum. Although they have similar names, they are = very different. =20 Linux capabilities, confusingly, are not a capability system. A = capability is an unforgeable token of authority that can be delegated = and must be presented to perform an action. Linux =E2=80=98capabilities=E2= =80=99 are permissions that relate to the ambient authority of a = process: simply having the permission is sufficient to perform any of = the privileged actions. There is no namable object that you are able to = present to the relevant system calls to be explicitly choose to exert = the authority. In contrast, Capsicum makes file descriptors into capabilities. Once = you enter capability mode, you have no ambient authority. You many not = access any global namespace except by presenting a capability (file = descriptor) with the relevant authority to a system call. Linux capabilities are intended to allow programs to have some subset of = root privileges. This is very difficult to do well because the = privileges that root holds on *NIX systems were never intended to be = decomposed. The set that you list add up to complete root power, in = several ways. For example: - If you have CAP_SYS_PTRACE then you can attach to init (or any other = unrestricted daemon), inject arbitrary code, and tell it to execute on = your behalf. - If you have CAP_DAC_OVERRIDE then you can (unless running with some = code-signing checks) modify bits of the filesystem that unrestricted = programs running as root will trust as containing system binaries and = have them exec code that you=E2=80=99ve injected. - If you have CAP_SYS_ADMIN, can do pretty much anything that root can = do even without additional elevation steps, including any `ioctl` on = block devices. I don=E2=80=99t think that you=E2=80=99d lose anything other than a tiny = bit of defence in depth that costs an attacker several seconds to bypass = by simply skipping the privilege separation that this kind of use of = Linux capabilities buys you. Similar restrictions could be imposed by a MAC policy[1] but that is a = lot of work to implement. It would be a nice project for someone to = look at Linux Capabilities and the Solaris equivalents and build = something that exposed this kind of functionality. The more traditional UNIX way of doing what you need is to have a = separate process that runs as root and exposes an RPC interface to the = Python code that performs these trusted actions on its behalf. That = would be a lot less effort to implement, though again the security = benefits are negligible if the set of privileged actions includes the = full set authorised by those Linux permissions since they equate to = giving the unprivileged process complete control over your system. David [1] = https://www.freebsd.org/cgi/man.cgi?query=3Dmac&sektion=3D9&apropos=3D0&ma= npath=3DFreeBSD+13.0-RELEASE+and+Ports > On 16 Apr 2022, at 18:17, George Diaconu wrote: >=20 > Hello, >=20 > Together with my colleagues we are trying to port OpenStack to = FreeBSD. As part of the process we need to modify a python package used = by OpenStack called oslo_privsep. This package uses linux capabilities = to give OpenStack services the least permissions they need. > Now as part of porting to FreeBSD we want to replace the linux = capabilities with Capsicum. We found a list of Capsicum capabilities at = [1]. So far we found that the package uses at least the following 5 = capabilities described in [2]: > - CAP_DAC_OVERRIDE > - CAP_DAC_READ_SEARCH > - CAP_NET_ADMIN > - CAP_SYS_PTRACE > - CAP_SYS_ADMIN >=20 > What would be the respective capabilities in Capsicum? >=20 > Thank you, > George >=20 > [1] = https://www.freebsd.org/cgi/man.cgi?query=3Drights&sektion=3D4&apropos=3D0= &manpath=3DFreeBSD+13.0-RELEASE+and+Ports > [2] https://man7.org/linux/man-pages/man7/capabilities.7.html