Re: Auto-jailing of services - 2nd implementation

Reply: Alexander Leidinger : "Re: Auto-jailing of services - 2nd implementation"
In reply to: Alexander Leidinger : "Auto-jailing of services - 2nd implementation"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: FreeBSD User <freebsd_at_walstatt-de.de>
Date: Sun, 15 May 2022 10:49:06 UTC

On Sun, 03 Apr 2022 21:48:42 +0200
Alexander Leidinger <Alexander@leidinger.net> wrote:

> Hi,
> 
> attached is a new implementation of service jails (auto-jailing of  
> services). This one now supports rc command prefixes (e.g. onestart)  
> and I tested it in nested jails. The benefit of auto-jailing services  
> is, that you can apply some restrictions to services (and what other  
> processes it may see). If your service requires access to network but  
> not sysvipc, and it doesn't run as root, it can be limited to network  
> access with or without raw sockets, filesystem-permitted files, and  
> doesn't see other processes on the system.
> 
> For a few services I have added the required "svcj-config" in the  
> start scripts (e.g. network access for syslog by setting  
> syslogd_svj_options=net_basic).
> 
> Possible svcj config options for service jails:
> +				netv4)
> +					_svcj_cmd_options="ip4=inherit
> allow.reserved_ports ${_svcj_cmd_options}"
> +					;;
> +				netv6)
> +					_svcj_cmd_options="ip6=inherit
> allow.reserved_ports ${_svcj_cmd_options}"
> +					;;
> +				net_basic)
> +					_svcj_cmd_options="ip4=inherit ip6=inherit
> allow.reserved_ports ${_svcj_cmd_options}"
> +					;;
> +				net_raw)
> +					_svcj_cmd_options="allow.raw_sockets
> ${_svcj_cmd_options}"
> +					;;
> +				net_all)
> +					_svcj_cmd_options="allow.socket_af
> allow.raw_sockets allow.reserved_ports ip4=inherit ip6=inherit ${_svcj_cmd_options}"
> +					;;
> +				sysvipc)
> +					_svcj_cmd_options="sysvmsg=inherit
> sysvsem=inherit sysvshm=inherit  ${_svcj_cmd_options}"
> +					;;
> +				mlock)
> +					_svcj_cmd_options="allow.mlock
> ${_svcj_cmd_options}"
> +					;;
> +				vmm)
> +					_svcj_cmd_options="allow.vmm
> ${_svcj_cmd_options}"
> 
> By setting syslogd_svcj="YES" in rc.conf your syslogd will be started  
> in a jail which inherits the full filesystem and the ipv4 and ipv6  
> addresses of the parent.
> 
> It would be nice if interested people could experiment a little bit  
> with this, e.g. adding name_svcj_options="X Y" from above and  
> name_svcj="YES" into rc.conf and see if it works. Note, doing that for  
> sshd doesn't make sense in the generic case, it wouldn't see your  
> jails. It may make sense for services.
> 
> Any kind of feedback and tested name_svcj_options submissions welcome...
> 
> Bye,
> Alexander.
> 

Hello Alexander Leidinger,

is this really interesting feature already part of recent CURRENT rc subsystem or do I
have to "patch" CURRENT with the rc script provided by some place first to obtain the
functionality you are talking here about?

Thanks in advance and kind regards

O. Hartmann

p.s. would it be possible toput as service with a dedicated network interfacing (say,
jailed vnet/vlan, forinstance an asterisk service running on a small router appliance, as
we do in our projects?).