Malicious root user sandboxing
Ihor Antonov
ihor at antonovs.family
Mon May 25 18:00:34 UTC 2020
On Monday, 25 May 2020 09:37:19 PDT Ed Maste wrote:
> On Sat, 16 May 2020 at 20:02, Ihor Antonov <ihor at antonovs.family> wrote:
> > Hello FreeBSD Community,
> >
> > I am looking for possible options to sandbox an untrusted application that
> > runs with root privileges.
> >
> > I can't use Jails or Capsicum as modification of the application is
> > outside of the scope of my task and application needs to share the file
> > system with some other applications. (several applications use PAM to
> > authenticate users and they all have to have the same set of users, and I
> > want
> > to avoid duplicating system users across jails)
> >
> > For this write up I will use opensmptd server as an example application,
> > but there are many more examples that fit the usecase.
>
> Is the application dynamically linked? If so it's possible to do
> "oblivious sandboxing" with Capsicum. There's a proof of concept in
> the "Super Capsicumizer 9000" -
> https://github.com/myfreeweb/capsicumizer. It builds on libpreopen
> from MUN which handles filesystem access. This is not something that
> will work "out of the box" today for your application, but is an area
> of active interest that could benefit from a motivating use case. With
> some development work (using the approach of capsicumizer +
> libpreopen) it could be the basis for a quality sandbox.
>
> > 1) Application should only be able to listen and talk to TCP port 25.
> >
> > Initiating connections to other TCP ports and other address families
> > must be prevented.
>
> This would be net new work, intercepting connect(2), accept(2) and
> such, passing the args to a socket service, and returning the fd.
>
> > 2) Application should only have write access to a specific directory, the
> >
> > rest of the filesystem must be seen by the application as read-only.
>
> Capsicumizer + libpreopen is most of the way there now. A little work
> would be needed to extend it to support different permissions per
> directory group.
>
> > 3) Application should not be able to change it's login class.
>
> This is inherent in capability mode.
>
> > 4) Application should not be able to escape the sandbox by forking a child
> >
> > process.
>
> Capsicum does not address this, but the child starts in capability
> mode and inherits the same sandbox restrictions. The real need then is
> for comprehensive resource limits.
>
> > 5) Application's resource usage must be limited.
> >
> > 6) Application should not be able to shake-off resource limits by forking
> >
> > a child or changing login class.
>
> This probably needs some rctl improvements.
>
> > 7) Application should not be able to change system configuration,
> > load/unload>
> > kernel modules, modify firewall rules.
> >
> > 8) Application should not be able to create new system users,
> >
> > or change passwords of existing users
>
> These are inherent in capability mode.
Thanks Ed,
I was looking at Capsicumizer and it looks very interesting.
The only reason I was hesitant is that this is an external application, not a
FreeBSD core. Is it going to be included in FreeBSD in some distant future?
--
Ihor Antonov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20200525/03d3e251/attachment.sig>
More information about the freebsd-security
mailing list