Re: FWIW: sysrestrict

To: Alistair Crooks <agc%pkgsrc.org@localhost>, Paul Goyette <paul%whooppee.com@localhost>
Subject: Re: FWIW: sysrestrict
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Sun, 24 Jul 2016 13:09:46 +0200

Le 24/07/2016 à 00:52, Alistair Crooks a écrit :

ISTM that your sysretsrict suffers from one of the same drawbacks as
pledge/tame/name-du-jour - the restrictions are being burned into the
binary at compile/link time.


No. As I said, the userland tool could add or modify the bitmap in the ELF
section. Sysrestrict does not require any modification at compile or link
time.

You could just take the default firefox binary provided on the project
servers, and sysrestrictctl would add the section.

That might be fine for system binaries
(but some people download distributions from the project servers) that
are built locally - what about anything more than the basics, like an
apache with loadable modules? How do you specify the modular
restrictions? How do we make it so that an apache binary can be
successfully have its restriction set "expanded" to allow modules to
do their job, when that is what sysretsrict is trying to prevent?

I'd be much happier with a variant of seccomp-bpf, or even using lua
to do the same job (if it was performant, JIT-enabled and safe to do
such a thing, I expect not :().

My main problem is that simply outlawing system calls is a very
coarse-grained hammer. I may want a binary to be able to open files
for writing in /tmp, but not open any files in /etc for writing. Or
reading files in my home directory, except for anything in ~/.ssh or
~/.gnupg. How does sysrestrict cope with this?


It is just impossible to reach the perfect granularity. Even with a JIT engine,
we could still demonstrate that we cannot handle the pointer that comes from
a copyin, which comes from a copyin, which comes from another copyin. And even
if we were trying to implement such a feature, we would end up virtualizing the
whole userland->kernel path, and the performance, security and stability impact
would be high.

The goal of sysrestrict (and pledge, and whatever else) is not to provide the
perfect feature that will control absolutely everything. The goal is just to
provide an additionnal, simple layer of restriction. It is a combination of
such features that can mostly reach the granularity you want. Sysrestrict for
syscalls, UNIX file permissions for VFS, kauth for kernel permissions, Veriexec
for binary permissions, etc.

Follow-Ups:
- Re: FWIW: sysrestrict
  - From: Joerg Sonnenberger

References:
- FWIW: sysrestrict
  - From: Maxime Villard
- Re: FWIW: sysrestrict
  - From: Paul Goyette
- Re: FWIW: sysrestrict
  - From: Alistair Crooks

Prev by Date: Re: GSoC-2016
Next by Date: Re: GSoC-2016
Previous by Thread: Re: FWIW: sysrestrict
Next by Thread: Re: FWIW: sysrestrict
Indexes:

Home | Main Index | Thread Index | Old Index