From nobody Tue Mar 29 18:14:28 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DE44C1A3A930 for ; Tue, 29 Mar 2022 18:14:31 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KSd4l0RvYz4qrs for ; Tue, 29 Mar 2022 18:14:31 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qv1-xf34.google.com with SMTP id kd21so12107574qvb.6 for ; Tue, 29 Mar 2022 11:14:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=BvSsH8UTqhcTj6ja7QQIcFN717X7ASiLCbSabHnS4sU=; b=ikm74WjqkQGadDH81dPt2iBAL1mmXvPjJML2B1Rr3igAaEoJqIvqDlcW+T5tnFsWaD Lahl8Wfn+xIa5gcgSk+w+gBh2hTRGBNdBxOjJms3tL+Mkv/mPQoKNe1ZVl59h2L4QJzH SGOfYRznTYf7Rm1Ov0qShmN36dOrJoSALdgksRw/2SJCDvPD0YVC2+tqbRHmnSG6LJ+M I7vA5odiZuph44vhk+LR1aOOpl2Zu1h7rWCAQG7zUSI4suLC4rRJs1APzLKLRdaejdW5 dZcv7QwZa0CzEXoaJK2WZNPTluBIgoQ/PPGR/1JyI6+sU6Rrk5gCV/WWtRNVtjFXbrf9 GPjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=BvSsH8UTqhcTj6ja7QQIcFN717X7ASiLCbSabHnS4sU=; b=bR02ybQwvxqQSzIFTnMIktaKRS6EzuyuL60kS65y5tApTGqrk3fvlQz+6335PPwFFS DZmNvWvUudJ0SGCpl6k9zGLqluOXch1hNVV9TxQYHP8JHRsr6Jy74RjI0Ys1dCEcI7kl zXYbkM61+5UCcJigI1viUYzQryqXPVv5UkRRyqH1ekKLi2RWApTJCX+mX4RaYp5p2NQP 5dvHWCR5cpEjPosR7cgcJjqotwC8P5NVzbCmJygRPdthDivaf7DIHS1cMFvo2wqR+iPX cLQmCDwCg5lvPekX6radMeAZrXoonVDRFuEo4c5cKEASV42KBkpCVO/Scp5O2Nqnsx/7 KptQ== X-Gm-Message-State: AOAM531czkHk/w1nBTzYV0hCdx6kwjCkHs26pqNmm4uvRvNqQuYpBo18 /fsTwDO+HibKKpt6WW7N8ExErX1yEi/hWQft X-Google-Smtp-Source: ABdhPJwUsMEh2vT/3qHUIQNNFxCUrLbp3AwtAlklvg2Cz2O23I3sXcIyfCsfw1zs3eXE6rN5260Ywg== X-Received: by 2002:a05:6214:23c6:b0:433:8a2:c244 with SMTP id hr6-20020a05621423c600b0043308a2c244mr27890449qvb.88.1648577670256; Tue, 29 Mar 2022 11:14:30 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-224-136.bltmmd.fios.verizon.net. [100.16.224.136]) by smtp.gmail.com with ESMTPSA id v5-20020a05622a144500b002e1c7d027b1sm14950801qtx.66.2022.03.29.11.14.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Mar 2022 11:14:29 -0700 (PDT) Date: Tue, 29 Mar 2022 14:14:28 -0400 From: Shawn Webb To: Mathieu Cc: freebsd-hackers@FreeBSD.org Subject: Re: curtain: WIP sandboxing mechanism with pledge()/unveil() support Message-ID: <20220329181428.n3db2x57nnn64yfx@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-CURRENT-HBSD FreeBSD 14.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <25b5c60f-b9cc-78af-86d7-1cc714232364@gmail.com> List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="nle2gt4bfiwu4icn" Content-Disposition: inline In-Reply-To: <25b5c60f-b9cc-78af-86d7-1cc714232364@gmail.com> X-Rspamd-Queue-Id: 4KSd4l0RvYz4qrs X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=ikm74Wjq; dmarc=none; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::f34 as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org X-Spamd-Result: default: False [-3.38 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; RCPT_COUNT_TWO(0.00)[2]; SIGNED_PGP(-2.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RECEIVED_SPAMHAUS_PBL(0.00)[100.16.224.136:received]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(0.72)[0.720]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f34:from]; MLMMJ_DEST(0.00)[freebsd-hackers]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --nle2gt4bfiwu4icn Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 28, 2022 at 05:37:44AM -0400, Mathieu wrote: > Hello list.=A0 Since a while I've been working on and off on a > pledge()/unveil() implementation for FreeBSD.=A0 I also wanted it to be a= ble > to sandbox arbitrary programs that might not expect it with no (or very > minor) modifications.=A0 So I just kept adding to it until it could do th= at > well enough.=A0 I'm still working on it, and there are some known issues = and > some things I'm not sure are done correctly, but overall it's in a very > functional state now. It can run unmodified most utilities and desktop ap= ps > (though dbus/dconf/etc are trouble), server daemons, buildworld and whole > shell/desktop sessions sandboxed. >=20 > https://github.com/Math2/freebsd-pledge > https://github.com/Math2/freebsd-pledge/blob/main/CURTAIN-README.md >=20 > It can be broken up in 4 parts: 1) A MAC module that implements most of t= he > functionality.=A0 2) The userland library, sandboxing utility, configs and > tests.=A0 3) Various kernel changes needed to support it (including new M= AC > handlers and extended syscall filtering).=A0 4) Small changes/fixes to the > base userland (things like adding reporting to ps and modifying some > utilities to use $TMPDIR so that they can be properly sandboxed).=A0 So 1= ) and > 2) could be in a port.=A0 And I tried to minimize 3) and 4) as much as > possible. >=20 > I noted some problems/limitations in the CURTAIN-ISSUES file.=A0 At this = point > I'm mostly wondering about the general design being acceptable for merging > eventually.=A0 Because most of this could be part of a port, but not all = of > it.=A0 And the way that it deals with filesystem access restrictions in > particular is kludgy.=A0 So any feedback/testing welcome. >=20 > It still lacks documentation (in part because I'm not sure of what could > still change) so I'm going to give an overview of it here and show some > examples and that's going to be the documentation for now.=A0 And I'll > describe the kernel changes that it needed.=A0 So that's going to be a bi= t of > a long email. Hey Mathieu, Thanks a lot for working on this! I'm incredibly excited to see this work progress and mature. I'd love to start reviewing your work. One thing that would make it easier to review would be if you used a feature branch rather than relying on the main branch. That way, a simple `git diff` command could be used to generate a diff between your code and stock freebsd. If you'd like an example of that, take a look at HardenedBSD's repo[0]. We have two relevant branches: freebsd/current/main <- FreeBSD's sources hardened/current/main <- HardenedBSD's patches applied on top of FreeBSD's sources Users can then simply run `git diff origin/freebsd/current/main` to see all the changes we've made (assuming the user is currently working on the hardened/current/master branch.) [0]: https://git.hardenedbsd.org/HardenedBSD/hardenedbsd Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --nle2gt4bfiwu4icn Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmJDTIIACgkQ/y5nonf4 4foWABAAhOzaiAR80J3PwjwIJEdbD3i74BXyi4TkqrhSlcuOFz+i7eoYbjYYrXyZ K4bKvziS+zeAB2Hml80+sa2f/Zw2pJHIenDkmQPPB1pSeGVAyxB4CoYXbkcQtctN hch2cbyBZswCv9U4Wc4KvxMys87R57I6oyX+DSPeZVfAJUjWbvbvXjakdEhyoGUj EN0MqtEVcuMStliDTlfZuPOTyQMP+VOTWNyl+6vDenxce/OGmw65Kyd7g8v8sfbZ hkP0s1Npye+ApDCdwG9SCQRkrZwoYdVNlA48flf5Q7zDRfVSnV2mEfbhjmHo5qya dVVihLkLVewETSSap/WtRlg2tp7e04lzsfH8NgD8ICZE16gOFlhbnykNNeOkhmqZ SyN8t5JOzR77KlPbp3qqymOxdWBYyt15Nq4tt1aerRVVFUOIIJpvNQL8NAMI1uzi u3KB92Ks30Odewc11ax0IXn90yxLmDQ99M9TMW02mDJUpuWKH0tHisxd+nk/wC+J 1OOcr4+X2E72//V0M6QQk43XbOHH5sSnIyM5saLL0gCfREHI3KgH/sxj0sr5lscv jk/FNiErYRKPg4F+Wk5FS20R8HDyMQmhsMkWCAVe8MvWTUsdCjSIy/wykJhd01S0 +Ss5831DOHTJU2j98livG2FCOxO2TPDAy74hY6mPMxlFxMY73Tk= =kGuv -----END PGP SIGNATURE----- --nle2gt4bfiwu4icn--