Malicious root user sandboxing

Ihor Antonov ihor at antonovs.family
Mon May 25 18:00:34 UTC 2020 

On Monday, 25 May 2020 09:37:19 PDT Ed Maste wrote:
> On Sat, 16 May 2020 at 20:02, Ihor Antonov <ihor at antonovs.family> wrote:
> > Hello FreeBSD Community,
> > 
> > I am looking for possible options to sandbox an untrusted application that
> > runs with root privileges.
> > 
> > I can't use Jails or Capsicum as modification of the application is
> > outside of the scope of my task and application needs to share the file
> > system with some other applications. (several applications use PAM to
> > authenticate users and they all have to have the same set of users, and I
> > want
> > to avoid duplicating system users across jails)
> > 
> > For this write up I will use opensmptd server as an example application,
> > but there are many more examples that fit the usecase.
> 
> Is the application dynamically linked? If so it's possible to do
> "oblivious sandboxing" with Capsicum. There's a proof of concept in
> the "Super Capsicumizer 9000" -
> https://github.com/myfreeweb/capsicumizer. It builds on libpreopen
> from MUN which handles filesystem access. This is not something that
> will work "out of the box" today for your application, but is an area
> of active interest that could benefit from a motivating use case. With
> some development work (using the approach of capsicumizer +
> libpreopen) it could be the basis for a quality sandbox.
> 
> > 1) Application should only be able to listen and talk to TCP port 25.
> > 
> >    Initiating connections to other TCP ports and other address families
> >    must be prevented.
> 
> This would be net new work, intercepting connect(2), accept(2) and
> such, passing the args to a socket service, and returning the fd.
> 
> > 2) Application should only have write access to a specific directory, the
> > 
> >    rest of the filesystem must be seen by the application as read-only.
> 
> Capsicumizer + libpreopen is most of the way there now. A little work
> would be needed to extend it to support different permissions per
> directory group.
> 
> > 3) Application should not be able to change it's login class.
> 
> This is inherent in capability mode.
> 
> > 4) Application should not be able to escape the sandbox by forking a child
> > 
> >    process.
> 
> Capsicum does not address this, but the child starts in capability
> mode and inherits the same sandbox restrictions. The real need then is
> for comprehensive resource limits.
> 
> > 5) Application's resource usage must be limited.
> > 
> > 6) Application should not be able to shake-off resource limits by forking
> > 
> >    a child or changing login class.
> 
> This probably needs some rctl improvements.
> 
> > 7) Application should not be able to change system configuration,
> > load/unload> 
> >    kernel modules, modify firewall rules.
> > 
> > 8) Application should not be able to create new system users,
> > 
> >    or change passwords of existing users
> 
> These are inherent in capability mode.


Thanks Ed,

I was looking at Capsicumizer and it looks very interesting.
The only reason I was hesitant is that this is an external application, not a 
FreeBSD core. Is it going to be included in FreeBSD in some distant future?

-- 
Ihor Antonov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20200525/03d3e251/attachment.sig>

More information about the freebsd-security mailing list