Subject: Re: jail() on NetBSD?
To: None <netbsd-users@netbsd.org>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-users
Date: 01/22/2004 22:31:04
--ftEhullJWpWg/VHq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
John Goerzen wrote:
> 1. Process isolation. An errant (or malicious) process in one
> "secure area" (for lack of a better word) should not be able to send
> signals to, or even see, processes in the main system or another
> secure area.
=20
> I gather that, through the systrace system, I could
> probably do #2 and possibly #3,
I haven't tried systrace with IPv6 but it's no problem with IPv4. #3
is possible as well. Things get only hard when you want to allow
certain syscalls under very certain circumstances. systrace isn't
really stateful so the only trick I've read is to switch between
different users. It would be much better if systrace allowed some
variables you can use and change in rules. OTOH, sometimes the
circumstances are based on things you can't see with systrace e.g.,
your process should only be able to connect to a host between
3am and 4am etc.
> but not #1. Is that correct?
The rules for signal have pidname, the name of the target process,
and the symbolic signal name e.g., SIGINT as parameter. So, I guess
WRT emitting signals you can "jail" processes as well, if you install
or, at least, hardlink the programs in different locations. Hiding
processes doesn't work. I think ps uses some sysctl()s to get the
list of processes and systrace doesn't support filtering on sysctl()
parameters. If the latter is true, it might be trivial to add
support for this.
--=20
Christian
--ftEhullJWpWg/VHq
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
iD8DBQFAEEEY0KQix3oyIMcRAmiEAKCfCoVZBKHYXnXaErzpqmPm8lY0MQCgkBAX
h87186erplW/g6THEc761U8=
=r2mh
-----END PGP SIGNATURE-----
--ftEhullJWpWg/VHq--