Capsicum project: Ideas needed
Matt
sendtomatt at gmail.com
Fri Jul 8 04:48:33 UTC 2011
On 07/07/11 20:42, Ilya Bakulin wrote:
> Hi hackers,
> As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
> system, I want to ask you, which applications in the base system should
> receive sandboxing support.
> So far, the following applications were sandboxed during initial
> Capsicum research project:
> sshd: critical system service run by root;
> gzip: utility that operates with potentially buggy compression code
> tcpdump: contains complex packet-parsing code, run by root;
> I have added sandboxing to syslogd, because this is also a critical
> system service run by root.
> I'm also going to add sandboxing to xz (compression algorithms) and ntpd
> (critical system service run by root).
>
> The question is: which applications should also be processed? I think
> that the most wanted candidates are SUID programs and/or popular network
> daemons.
> But looking at gzip example I also think about text-processing tools in
> general.
>
> At the moment I prefer not to focus on applications that are used only
> on desktop system -- primary usage of FreeBSD is ultra-reliable serving
> platform, although iXSystems guys may correct me :-)
>
I'm not too familiar with the operation of capsicum, but in general
anything with untrusted (including in many cases user) input can be
worth sandboxing, especially in a server environment. Obviously server
processes themselves are often worth restricting to things like jails or
vms etc., so sandboxing could be an alternative.
I can also see cases where interpreters, database server software, and
file viewers/editors could be sandboxed to prevent exploits from
"running away" with the system via the exploited process. Especially in
server environment, 'sudo less /var/log/<evillogwithlessexploit>' and
kablooey. Admins may have to run "user" software, or non suid,
executables which nonetheless receive the admin's elevated permissions.
Call them usid, user set id, I suppose. Not the best, but it happens,
especially when things need to work an hour ago.
A few ideas along those lines:
-any server software
-any interpreter (perl, python, etc)?
-any shell?...
minicom
wget
curl
netcat
links/lynx
Can it be made a switch on sudo?
sudo --sandbox=someprofile,option tcpdump -tti pflog0
Hopefully I'm not missing the boat and these ideas are applicable :)
Matt
More information about the freebsd-hackers
mailing list