tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
RFC: New security model secmodel_securechroot(9)
Hello.
I've implemented new security model based on kauth(9) framework,
secmodel_securechroot(9). Its purpose is to completely isolate
chrooted processes from the host system, that is to prevent all destructive
changes by chrooted processes even if they are run under root privileges
and to prevent access to processes outside the chroot.
This patch was reviewed by Elad Efrat, Alistair Crooks, Christos Zaulos
and Thomas Klausner. In general it was approved, so I think now I'm
ready to commit it. Comments are welcome.
How to use it:
- modload securechroot at boot time
- run daemons inside chroot using ${name}_chroot in rc.conf
Notes:
- secmodel_securechroot is implemented as a kernel module disabled
by default.
- I consider secmodel_securechroot as a security tool only, not as a
half-made jail-like environment.
- It was decided to allow time setting from inside chroots for now.
- 'modunload securechroot' is not allowed from chroots.
- Original idea for hardened chroot comes from grsecurity project
Working patch is in attachment.
===========================================================================
Man page
NAME
secmodel_securechroot -- securechroot security model
DESCRIPTION
The securechroot security model is intended to protect the system
against destructive modifications by chroot-ed processes. If
enabled, secmodel_securechroot applies the following restrictions
to chroot-ed processes.
· chroot(2) and fchroot(2) are not allowed.
· Setting the CPU state is not allowed.
· Debugging-related operations are not allowed.
· Quota operations on file systems are not allowed.
· Using the file system reserved space is not allowed.
· Creating devices using mknod(2) is not allowed.
· Module requests are not allowed.
· Processor-set manipulation is not allowed.
· reboot(2) is not allowed.
· Changing coredump settings for set-id processes is not allowed.
· swapctl(2) operations are not allowed.
· Mounting new file systems, unmounting, and changing existing
mounts are not allowed.
· Access to a process using ptrace(2) and ktrace(2) is allowed
only if it belongs to the same chroot.
· Access to a process using procfs is allowed only if it belongs
to the same chroot.
· Sending signals to a process is allowed only if it belongs to
the same chroot.
· Only processes belonging to the same chroot are visible by, for
example, ps(1)
· Decreasing process nice is not allowed.
· Setting the scheduler affinity, policy, and parameters is not
allowed.
· Setting the process corename is not allowed.
· Setting the process resource limits is not allowed.
· Firewall-related operations such as modification of packet
filtering rules or modification of NAT rules are not allowed.
· Network interface-related operations such as setting parameters
on the device or setting privileged parameters are not allowed.
· Adding and enabling a ppp(4) interface is not allowed.
· Adding and enabling a sl(4) interface is not allowed.
· Adding and enabling a strip(4) interface is not allowed.
· Adding and enabling a tun(4) interface is not allowed.
· Adding and enabling a bcsp(4) device is not allowed.
· Adding and enabling a btuart(4) device is not allowed.
· Routing-related requests are not allowed.
· Changing privileged settings of Bluetooth devices is not
allowed.
· Hardware passthru requests and user commands passed directly to
the hardware are not allowed.
· Adding data to the entropy pool is not allowed.
· Changing privileged settings of rnd(4) is not allowed.
· Modifying machine-dependent requests are not allowed.
· Access to kmem(4) files /dev/mem and /dev/kmem is not allowed.
SEE ALSO
chroot(2) kauth(9), secmodel(9)
AUTHORS
Aleksey Cheusov <cheusov%NetBSD.org@localhost>
Elad Efrat <elad%NetBSD.org@localhost> provided guidance and answered
questions about the kauth(9) framework.
The idea of a hardened chroot comes from the grsecurity project.
http://grsecurity.org/
Index: sys/kern/kern_auth.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_auth.c,v
retrieving revision 1.65
diff -u -r1.65 kern_auth.c
--- sys/kern/kern_auth.c 31 Dec 2009 02:20:36 -0000 1.65
+++ sys/kern/kern_auth.c 6 Jul 2011 18:34:03 -0000
@@ -286,6 +286,12 @@
child);
}
+void
+kauth_proc_chroot(kauth_cred_t cred, struct cwdinfo *cwdi)
+{
+ kauth_cred_hook(cred, KAUTH_CRED_CHROOT, cwdi, NULL);
+}
+
uid_t
kauth_cred_getuid(kauth_cred_t cred)
{
Index: sys/kern/vfs_syscalls.c
===================================================================
RCS file: /cvsroot/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.431
diff -u -r1.431 vfs_syscalls.c
--- sys/kern/vfs_syscalls.c 3 Jul 2011 15:25:09 -0000 1.431
+++ sys/kern/vfs_syscalls.c 6 Jul 2011 18:34:04 -0000
@@ -1035,6 +1035,10 @@
void
change_root(struct cwdinfo *cwdi, struct vnode *vp, struct lwp *l)
{
+ struct proc *p = l->l_proc;
+ kauth_cred_t ncred;
+
+ ncred = kauth_cred_alloc();
rw_enter(&cwdi->cwdi_lock, RW_WRITER);
if (cwdi->cwdi_rdir != NULL)
@@ -1056,6 +1060,15 @@
cwdi->cwdi_cdir = vp;
}
rw_exit(&cwdi->cwdi_lock);
+
+ /* Get a write lock on the process credential. */
+ proc_crmod_enter();
+
+ kauth_cred_clone(p->p_cred, ncred);
+ kauth_proc_chroot(ncred, p->p_cwdi);
+
+ /* Broadcast our credentials to the process and other LWPs. */
+ proc_crmod_leave(ncred, p->p_cred, true);
}
/*
Index: sys/modules/Makefile
===================================================================
RCS file: /cvsroot/src/sys/modules/Makefile,v
retrieving revision 1.73
diff -u -r1.73 Makefile
--- sys/modules/Makefile 15 Jun 2011 09:45:59 -0000 1.73
+++ sys/modules/Makefile 6 Jul 2011 18:34:15 -0000
@@ -52,6 +52,7 @@
SUBDIR+= scsiverbose
SUBDIR+= secmodel_bsd44
SUBDIR+= secmodel_overlay
+SUBDIR+= securechroot
SUBDIR+= securelevel
SUBDIR+= smbfs
SUBDIR+= sysvbfs
Index: sys/modules/securechroot/Makefile
===================================================================
RCS file: sys/modules/securechroot/Makefile
diff -N sys/modules/securechroot/Makefile
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ sys/modules/securechroot/Makefile 6 Jul 2011 18:34:15 -0000
@@ -0,0 +1,10 @@
+# $NetBSD$
+
+.include "../Makefile.inc"
+
+.PATH: ${S}/secmodel/securechroot
+
+KMOD= securechroot
+SRCS= secmodel_securechroot.c
+
+.include <bsd.kmodule.mk>
Index: sys/secmodel/files.secmodel
===================================================================
RCS file: /cvsroot/src/sys/secmodel/files.secmodel,v
retrieving revision 1.4
diff -u -r1.4 files.secmodel
--- sys/secmodel/files.secmodel 2 Oct 2009 18:50:13 -0000 1.4
+++ sys/secmodel/files.secmodel 6 Jul 2011 18:34:16 -0000
@@ -6,6 +6,11 @@
include "secmodel/suser/files.suser"
#
+# Secure chroot(8)
+#
+include "secmodel/securechroot/files.securechroot"
+
+#
# Traditional 4.4BSD - Securelevel
#
include "secmodel/securelevel/files.securelevel"
Index: sys/secmodel/securechroot/files.securechroot
===================================================================
RCS file: sys/secmodel/securechroot/files.securechroot
diff -N sys/secmodel/securechroot/files.securechroot
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ sys/secmodel/securechroot/files.securechroot 6 Jul 2011 18:34:16
-0000
@@ -0,0 +1,5 @@
+# $NetBSD$
+
+defflag secmodel_securechroot
+
+file secmodel/securechroot/secmodel_securechroot.c secmodel_securechroot
Index: sys/secmodel/securechroot/secmodel_securechroot.c
===================================================================
RCS file: sys/secmodel/securechroot/secmodel_securechroot.c
diff -N sys/secmodel/securechroot/secmodel_securechroot.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ sys/secmodel/securechroot/secmodel_securechroot.c 6 Jul 2011 18:34:16
-0000
@@ -0,0 +1,452 @@
+/* $NetBSD$ */
+/*-
+ * Copyright (c) 2011 Aleksey Cheusov <cheusov%NetBSD.org@localhost>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This file contains kauth(9) listeners needed to implement
+ * the secmode_securechroot(9).
+ *
+ * The securechroot denies some operations
+ * for processes running inside chroot(2)
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD$");
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/conf.h>
+#include <sys/vnode.h>
+#include <sys/kauth.h>
+
+#include <sys/sysctl.h>
+#include <sys/lwp.h>
+#include <sys/module.h>
+#include <sys/filedesc.h>
+
+#include <miscfs/specfs/specdev.h>
+
+#include <secmodel/securechroot/securechroot.h>
+
+MODULE(MODULE_CLASS_SECMODEL, securechroot, NULL);
+
+static kauth_listener_t \
+ l_system, l_process, l_network, l_machdep, l_device, l_cred;
+
+static kauth_key_t rootdir_key;
+
+static struct sysctllog *securechroot_sysctl_log;
+
+/*
+ * Sysctl helper routine for securechroot. Ensures that the value only
+ * rises unless the caller is init.
+ */
+void
+sysctl_security_securechroot_setup(struct sysctllog **clog)
+{
+ const struct sysctlnode *rnode;
+
+ sysctl_createv(clog, 0, NULL, &rnode,
+ CTLFLAG_PERMANENT,
+ CTLTYPE_NODE, "security", NULL,
+ NULL, 0, NULL, 0,
+ CTL_SECURITY, CTL_EOL);
+
+ sysctl_createv(clog, 0, &rnode, &rnode,
+ CTLFLAG_PERMANENT,
+ CTLTYPE_NODE, "models", NULL,
+ NULL, 0, NULL, 0,
+ CTL_CREATE, CTL_EOL);
+
+ sysctl_createv(clog, 0, &rnode, &rnode,
+ CTLFLAG_PERMANENT,
+ CTLTYPE_NODE, "securechroot", NULL,
+ NULL, 0, NULL, 0,
+ CTL_CREATE, CTL_EOL);
+
+ sysctl_createv(clog, 0, &rnode, NULL,
+ CTLFLAG_PERMANENT,
+ CTLTYPE_STRING, "name", NULL,
+ NULL, 0, __UNCONST("Secure chroot(2)"), 0,
+ CTL_CREATE, CTL_EOL);
+}
+
+void
+secmodel_securechroot_init(void)
+{
+ kauth_register_key("root_dir", &rootdir_key);
+}
+
+void
+secmodel_securechroot_start(void)
+{
+ l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
+ secmodel_securechroot_system_cb, NULL);
+ l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
+ secmodel_securechroot_process_cb, NULL);
+ l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
+ secmodel_securechroot_network_cb, NULL);
+ l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
+ secmodel_securechroot_machdep_cb, NULL);
+ l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE,
+ secmodel_securechroot_device_cb, NULL);
+ l_cred = kauth_listen_scope(KAUTH_SCOPE_CRED,
+ secmodel_securechroot_cred_cb, NULL);
+}
+
+void
+secmodel_securechroot_stop(void)
+{
+ kauth_unlisten_scope(l_system);
+ kauth_unlisten_scope(l_process);
+ kauth_unlisten_scope(l_network);
+ kauth_unlisten_scope(l_machdep);
+ kauth_unlisten_scope(l_device);
+ kauth_unlisten_scope(l_cred);
+}
+
+static int
+securechroot_modcmd(modcmd_t cmd, void *arg)
+{
+ int error = 0;
+
+ switch (cmd) {
+ case MODULE_CMD_INIT:
+ secmodel_securechroot_init();
+ secmodel_securechroot_start();
+ sysctl_security_securechroot_setup(&securechroot_sysctl_log);
+ break;
+
+ case MODULE_CMD_FINI:
+ sysctl_teardown(&securechroot_sysctl_log);
+ secmodel_securechroot_stop();
+ break;
+
+ default:
+ error = ENOTTY;
+ break;
+ }
+
+ return (error);
+}
+
+/*
+ * kauth(9) listener
+ *
+ * Security model: Secure chroot(2)
+ * Scope: System
+ * Responsibility: hardened chroot
+ */
+int
+secmodel_securechroot_system_cb(kauth_cred_t cred, kauth_action_t action,
+ void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ struct vnode* rdir;
+ enum kauth_system_req req = (enum kauth_system_req)arg0;
+ int result = KAUTH_RESULT_DEFER;
+
+ rdir = kauth_cred_getdata(cred, rootdir_key);
+ if (rdir == NULL)
+ return result;
+
+ switch (action){
+ case KAUTH_SYSTEM_CHROOT:
+ case KAUTH_SYSTEM_DEBUG: /* ? */
+ case KAUTH_SYSTEM_FS_QUOTA: /* ? */
+ case KAUTH_SYSTEM_FS_RESERVEDSPACE: /* ? */
+ case KAUTH_SYSTEM_MKNOD:
+ case KAUTH_SYSTEM_MODULE:
+ case KAUTH_SYSTEM_PSET: /* ? */
+ case KAUTH_SYSTEM_REBOOT:
+ case KAUTH_SYSTEM_SETIDCORE:
+ case KAUTH_SYSTEM_SWAPCTL:
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ case KAUTH_SYSTEM_CPU:
+ if (req == KAUTH_REQ_SYSTEM_CPU_SETSTATE)
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ case KAUTH_SYSTEM_MOUNT:
+ switch (req){
+ case KAUTH_REQ_SYSTEM_MOUNT_GET:
+ result = KAUTH_RESULT_DEFER;
+ break;
+ default:
+ result = KAUTH_RESULT_DENY;
+ break;
+ }
+ break;
+
+ case KAUTH_SYSTEM_SYSCTL:
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ default:
+ break;
+ }
+
+ return result;
+}
+
+/*
+ * kauth(9) listener
+ *
+ * Security model: Secure chroot(2)
+ * Scope: Process
+ * Responsibility: hardened chroot
+ */
+int
+secmodel_securechroot_process_cb(kauth_cred_t cred, kauth_action_t action,
+ void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ struct vnode* rdir;
+ enum kauth_system_req req;
+ struct proc *p;
+ u_long nice;
+ int result = KAUTH_RESULT_DEFER;
+
+ rdir = kauth_cred_getdata(cred, rootdir_key);
+ if (rdir == NULL)
+ return result;
+
+ switch (action){
+ case KAUTH_PROCESS_PTRACE:
+ case KAUTH_PROCESS_KTRACE:
+ case KAUTH_PROCESS_PROCFS:
+ case KAUTH_PROCESS_SIGNAL:
+ case KAUTH_PROCESS_CANSEE:
+ p = arg0;
+ if (rdir != p->p_cwdi->cwdi_rdir)
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ case KAUTH_PROCESS_NICE:
+ p = arg0;
+ nice = (u_long)arg1;
+ if (nice < p->p_nice)
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ case KAUTH_PROCESS_SCHEDULER_SETAFFINITY:
+ case KAUTH_PROCESS_SCHEDULER_SETPARAM:
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ case KAUTH_PROCESS_CORENAME:
+ req = (enum kauth_system_req)arg1;
+ if (req == KAUTH_REQ_PROCESS_CORENAME_SET)
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ case KAUTH_PROCESS_RLIMIT:
+ req = (enum kauth_system_req)arg1;
+ if (req == KAUTH_REQ_PROCESS_RLIMIT_SET)
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ default:
+ break;
+ }
+
+ return result;
+}
+
+/*
+ * kauth(9) listener
+ *
+ * Security model: Secure chroot(2)
+ * Scope: Network
+ * Responsibility: hardened chroot
+ */
+int
+secmodel_securechroot_network_cb(kauth_cred_t cred, kauth_action_t action,
+ void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ enum kauth_system_req req;
+ struct vnode* rdir;
+ int result = KAUTH_RESULT_DEFER;
+
+ rdir = kauth_cred_getdata(cred, rootdir_key);
+ if (rdir == NULL)
+ return result;
+
+ req = (enum kauth_system_req)arg0;
+
+ switch (action){
+ case KAUTH_NETWORK_FIREWALL:
+ case KAUTH_NETWORK_ALTQ: /* unsure, not tested */
+ case KAUTH_NETWORK_FORWSRCRT: /* unsure, not tested */
+ case KAUTH_NETWORK_INTERFACE_PPP: /* not tested */
+ case KAUTH_NETWORK_INTERFACE_SLIP: /* not tested */
+ case KAUTH_NETWORK_INTERFACE_STRIP: /* not tested */
+ case KAUTH_NETWORK_INTERFACE_TUN: /* not tested */
+ case KAUTH_NETWORK_ROUTE:
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ case KAUTH_NETWORK_INTERFACE:
+ switch (req){
+ case KAUTH_REQ_NETWORK_INTERFACE_SET:
+ case KAUTH_REQ_NETWORK_INTERFACE_SETPRIV:
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ default:
+ break;
+ }
+ break;
+
+ default:
+ break;
+ }
+
+ return result;
+}
+
+/*
+ * kauth(9) listener
+ *
+ * Security model: Secure chroot(2)
+ * Scope: Machdep
+ * Responsibility: hardened chroot
+ */
+int
+secmodel_securechroot_machdep_cb(kauth_cred_t cred, kauth_action_t action,
+ void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ struct vnode* rdir;
+ int result = KAUTH_RESULT_DEFER;
+
+ rdir = kauth_cred_getdata(cred, rootdir_key);
+ if (rdir == NULL)
+ return result;
+
+ switch (action){
+ case KAUTH_MACHDEP_CACHEFLUSH: /* not tested */
+ case KAUTH_MACHDEP_IOPERM_SET: /* not tested */
+ case KAUTH_MACHDEP_IOPL: /* not tested */
+ case KAUTH_MACHDEP_LDT_SET: /* not tested */
+ case KAUTH_MACHDEP_MTRR_SET: /* not tested */
+ case KAUTH_MACHDEP_NVRAM: /* not tested */
+ case KAUTH_MACHDEP_UNMANAGEDMEM: /* not tested */
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ default:
+ break;
+ }
+
+ return result;
+}
+
+/*
+ * kauth(9) listener
+ *
+ * Security model: Secure chroot(2)
+ * Scope: cred
+ * Responsibility: hardened chroot
+ */
+int secmodel_securechroot_device_cb(kauth_cred_t cred, kauth_action_t action,
+ void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ enum kauth_system_req req;
+ struct vnode* rdir;
+ struct vnode *vp;
+ int result = KAUTH_RESULT_DEFER;
+
+ rdir = kauth_cred_getdata(cred, rootdir_key);
+ if (rdir == NULL)
+ return result;
+
+ req = (enum kauth_system_req)arg0;
+
+ switch (action){
+ case KAUTH_DEVICE_RND_ADDDATA:
+ case KAUTH_DEVICE_RND_SETPRIV:
+ case KAUTH_DEVICE_BLUETOOTH_SETPRIV: /* not tested */
+ case KAUTH_DEVICE_RAWIO_PASSTHRU: /* not tested */
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ case KAUTH_DEVICE_BLUETOOTH_BCSP: /* not tested */
+ if (req == KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD)
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ case KAUTH_DEVICE_BLUETOOTH_BTUART: /* not tested */
+ if (req == KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD)
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ case KAUTH_DEVICE_RAWIO_SPEC:
+ vp = arg1;
+ KASSERT(vp != NULL);
+ if (iskmemdev(vp->v_un.vu_specnode->sn_rdev))
+ result = KAUTH_RESULT_DENY;
+ break;
+
+ default:
+ break;
+ }
+
+ return result;
+}
+
+/*
+ * kauth(9) listener
+ *
+ * Security model: Secure chroot(2)
+ * Scope: cred
+ * Responsibility: hardened chroot
+ */
+int
+secmodel_securechroot_cred_cb(kauth_cred_t cred, kauth_action_t action,
+ void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ struct cwdinfo *cwdi;
+ void *data;
+ kauth_cred_t ncred;
+
+ switch (action){
+ case KAUTH_CRED_CHROOT:
+ cwdi = (struct cwdinfo *)arg0;
+ kauth_cred_setdata(cred, rootdir_key, cwdi->cwdi_rdir);
+ break;
+
+ case KAUTH_CRED_COPY:
+ ncred = (kauth_cred_t)arg0;
+ data = kauth_cred_getdata(cred, rootdir_key);
+ if (data)
+ kauth_cred_setdata(ncred, rootdir_key, data);
+ break;
+
+ default:
+ break;
+ }
+
+ return KAUTH_RESULT_ALLOW;
+}
Index: sys/secmodel/securechroot/securechroot.h
===================================================================
RCS file: sys/secmodel/securechroot/securechroot.h
diff -N sys/secmodel/securechroot/securechroot.h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ sys/secmodel/securechroot/securechroot.h 6 Jul 2011 18:34:16 -0000
@@ -0,0 +1,49 @@
+/* $NetBSD$ */
+/*-
+ * Copyright (c) 2011 Aleksey Cheusov <cheusov%NetBSD.org@localhost>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SECMODEL_SECURECHROOT_SECURECHROOT_H_
+#define _SECMODEL_SECURECHROOT_SECURECHROOT_H_
+
+void secmodel_securechroot_init(void);
+void secmodel_securechroot_start(void);
+void secmodel_securechroot_stop(void);
+
+void sysctl_security_securechroot_setup(struct sysctllog **);
+
+int secmodel_securechroot_system_cb(kauth_cred_t, kauth_action_t, void *,
+ void *, void *, void *, void *);
+int secmodel_securechroot_process_cb(kauth_cred_t, kauth_action_t, void *,
+ void *, void *, void *, void *);
+int secmodel_securechroot_network_cb(kauth_cred_t, kauth_action_t, void *,
+ void *, void *, void *, void *);
+int secmodel_securechroot_machdep_cb(kauth_cred_t, kauth_action_t, void *,
+ void *, void *, void *, void *);
+int secmodel_securechroot_device_cb(kauth_cred_t, kauth_action_t, void *,
+ void *, void *, void *, void *);
+int secmodel_securechroot_cred_cb(kauth_cred_t, kauth_action_t, void *,
+ void *, void *, void *, void *);
+
+#endif /* !_SECMODEL_SECURECHROOT_SECURECHROOT_H_ */
Index: sys/sys/kauth.h
===================================================================
RCS file: /cvsroot/src/sys/sys/kauth.h,v
retrieving revision 1.64
diff -u -r1.64 kauth.h
--- sys/sys/kauth.h 24 Dec 2009 19:02:07 -0000 1.64
+++ sys/sys/kauth.h 6 Jul 2011 18:34:20 -0000
@@ -41,6 +41,7 @@
struct proc;
struct tty;
struct vnode;
+struct cwdinfo;
/* Types. */
typedef struct kauth_scope *kauth_scope_t;
@@ -282,7 +283,8 @@
KAUTH_CRED_INIT=1,
KAUTH_CRED_FORK,
KAUTH_CRED_COPY,
- KAUTH_CRED_FREE
+ KAUTH_CRED_FREE,
+ KAUTH_CRED_CHROOT
};
/*
@@ -418,6 +420,7 @@
kauth_cred_t kauth_cred_get(void);
void kauth_proc_fork(struct proc *, struct proc *);
+void kauth_proc_chroot(kauth_cred_t cred, struct cwdinfo *cwdi);
void secmodel_register(void);
void secmodel_deregister(void);
Index: share/man/man9/Makefile
===================================================================
RCS file: /cvsroot/src/share/man/man9/Makefile,v
retrieving revision 1.348
diff -u -r1.348 Makefile
--- share/man/man9/Makefile 3 Jun 2011 18:43:38 -0000 1.348
+++ share/man/man9/Makefile 6 Jul 2011 18:34:21 -0000
@@ -45,6 +45,7 @@
rssadapt.9 rt_timer.9 rwlock.9 RUN_ONCE.9 STACK.9 \
sched_4bsd.9 sched_m2.9 scsipi.9 \
secmodel.9 secmodel_bsd44.9 secmodel_overlay.9 secmodel_securelevel.9 \
+ secmodel_securechroot.9 \
secmodel_suser.9 SET.9 setbit.9 setjmp.9 shutdownhook_establish.9 \
signal.9 sockopt.9 softintr.9 spl.9 splraiseipl.9 \
store.9 suspendsched.9 \
Index: share/man/man9/kauth.9
===================================================================
RCS file: /cvsroot/src/share/man/man9/kauth.9,v
retrieving revision 1.91
diff -u -r1.91 kauth.9
--- share/man/man9/kauth.9 28 Apr 2011 12:22:35 -0000 1.91
+++ share/man/man9/kauth.9 6 Jul 2011 18:34:21 -0000
@@ -1087,6 +1087,19 @@
are both
.Ft struct proc *
of the parent and child processes, respectively.
+.It Dv KAUTH_CRED_CHROOT
+The credentials are being initialized during
+.Xr chroot 2
+or
+.Xr fchroot 2
+syscalls.
+.Pp
+.Ar cred
+are the credentials of the proc context doing the chroot, and
+.Ar arg0
+is a
+.Ft struct cwdinfo *
+of the process.
.It Dv KAUTH_CRED_FREE
The credentials in
.Ar cred
Index: share/man/man9/secmodel_securechroot.9
===================================================================
RCS file: share/man/man9/secmodel_securechroot.9
diff -N share/man/man9/secmodel_securechroot.9
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ share/man/man9/secmodel_securechroot.9 6 Jul 2011 18:34:22 -0000
@@ -0,0 +1,166 @@
+.\" $NetBSD: secmodel_securechroot.9,v 1.10 2010/12/22 09:08:09 wiz Exp $
+.\"
+.\" Copyright (c) 2011 Aleksey Cheusov <cheusov%NetBSD.org@localhost>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd June 24, 2011
+.Dt SECMODEL_SECURECHROOT 9
+.Os
+.Sh NAME
+.Nm secmodel_securechroot
+.Nd securechroot security model
+.Sh DESCRIPTION
+The securechroot security model is intended to protect the system against
+destructive modifications by chroot-ed processes.
+If enabled,
+.Nm
+applies the
+following restrictions to chroot-ed processes.
+.Bl -bullet
+.It
+.Xr chroot 2
+and
+.Xr fchroot 2
+are not allowed.
+.It
+Setting the CPU state is not allowed.
+.It
+Debugging-related operations are not allowed.
+.It
+Quota operations on file systems are not allowed.
+.It
+Using the file system reserved space is not allowed.
+.It
+Creating devices using
+.Xr mknod 2
+is not allowed.
+.It
+Module requests are not allowed.
+.It
+Processor-set manipulation is not allowed.
+.It
+.Xr reboot 2
+is not allowed.
+.It
+Changing coredump settings for set-id processes is
+not allowed.
+.It
+.Xr swapctl 2
+operations are not allowed.
+.It
+Mounting new file systems, unmounting, and changing existing mounts
+are not allowed.
+.It
+Access to a process using
+.Xr ptrace 2
+and
+.Xr ktrace 2
+is allowed only if it belongs to the same chroot.
+.It
+Access to a process using
+.Em procfs
+is allowed only if it belongs to the same chroot.
+.It
+Sending signals to a process is allowed only
+if it belongs to the same chroot.
+.It
+Only processes belonging to the same chroot are visible
+by, for example,
+.Xr ps 1
+.It
+Decreasing process nice is not allowed.
+.It
+Setting the scheduler affinity, policy, and parameters is not allowed.
+.It
+Setting the process corename is not allowed.
+.It
+Setting the process resource limits is not allowed.
+.It
+Firewall-related operations such as modification of packet filtering
+rules or modification of NAT rules are not allowed.
+.It
+Network interface-related operations such as setting parameters
+on the device or setting privileged parameters are not allowed.
+.It
+Adding and enabling a
+.Xr ppp 4
+interface is not allowed.
+.It
+Adding and enabling a
+.Xr sl 4
+interface is not allowed.
+.It
+Adding and enabling a
+.Xr strip 4
+interface is not allowed.
+.It
+Adding and enabling a
+.Xr tun 4
+interface is not allowed.
+.It
+Adding and enabling a
+.Xr bcsp 4
+device is not allowed.
+.It
+Adding and enabling a
+.Xr btuart 4
+device is not allowed.
+.It
+Routing-related requests are not allowed.
+.It
+Changing privileged settings of Bluetooth devices is not allowed.
+.It
+Hardware passthru requests and user commands passed directly
+to the hardware are not allowed.
+.It
+Adding data to the entropy pool is not allowed.
+.It
+Changing privileged settings of
+.Xr rnd 4
+is not allowed.
+.It
+Modifying machine-dependent requests are not allowed.
+.It
+Access to
+.Xr kmem 4
+files
+.Pa /dev/mem
+and
+.Pa /dev/kmem
+is not allowed.
+.El
+.Sh SEE ALSO
+.Xr chroot 2
+.Xr kauth 9 ,
+.Xr secmodel 9
+.Sh AUTHORS
+.An Aleksey Cheusov Aq cheusov%NetBSD.org@localhost
+.Pp
+.An Elad Efrat Aq elad%NetBSD.org@localhost
+provided guidance and answered questions about the
+.Xr kauth 9
+framework.
+.An
+.Pp
+The idea of a hardened chroot comes from the grsecurity project.
+.Lk http://grsecurity.org/
Index: distrib/sets/lists/comp/mi
===================================================================
RCS file: /cvsroot/src/distrib/sets/lists/comp/mi,v
retrieving revision 1.1639
diff -u -r1.1639 mi
--- distrib/sets/lists/comp/mi 6 Jul 2011 18:18:08 -0000 1.1639
+++ distrib/sets/lists/comp/mi 8 Jul 2011 07:27:47 -0000
@@ -10293,6 +10293,7 @@
./usr/share/man/cat9/secmodel.0 comp-sys-catman
.cat
./usr/share/man/cat9/secmodel_bsd44.0 comp-sys-catman .cat
./usr/share/man/cat9/secmodel_overlay.0 comp-sys-catman
.cat
+./usr/share/man/cat9/secmodel_securechroot.0 comp-sys-catman .cat
./usr/share/man/cat9/secmodel_securelevel.0 comp-sys-catman .cat
./usr/share/man/cat9/secmodel_suser.0 comp-sys-catman .cat
./usr/share/man/cat9/seldestroy.0 comp-sys-catman .cat
@@ -16247,6 +16248,7 @@
./usr/share/man/html9/secmodel.html comp-sys-htmlman html
./usr/share/man/html9/secmodel_bsd44.html comp-sys-htmlman html
./usr/share/man/html9/secmodel_overlay.html comp-sys-htmlman html
+./usr/share/man/html9/secmodel_securechroot.html comp-sys-htmlman
html
./usr/share/man/html9/secmodel_securelevel.html comp-sys-htmlman
html
./usr/share/man/html9/secmodel_suser.html comp-sys-htmlman html
./usr/share/man/html9/seldestroy.html comp-sys-htmlman html
@@ -22395,6 +22397,7 @@
./usr/share/man/man9/secmodel.9 comp-sys-man
.man
./usr/share/man/man9/secmodel_bsd44.9 comp-sys-man .man
./usr/share/man/man9/secmodel_overlay.9 comp-sys-man
.man
+./usr/share/man/man9/secmodel_securechroot.9 comp-sys-man .man
./usr/share/man/man9/secmodel_securelevel.9 comp-sys-man .man
./usr/share/man/man9/secmodel_suser.9 comp-sys-man .man
./usr/share/man/man9/seldestroy.9 comp-sys-man .man
Index: distrib/sets/lists/modules/mi
===================================================================
RCS file: /cvsroot/src/distrib/sets/lists/modules/mi,v
retrieving revision 1.21
diff -u -r1.21 mi
--- distrib/sets/lists/modules/mi 26 Feb 2011 18:07:15 -0000 1.21
+++ distrib/sets/lists/modules/mi 8 Jul 2011 07:27:47 -0000
@@ -114,6 +114,8 @@
./@MODULEDIR@/secmodel_bsd44/secmodel_bsd44.kmod base-kernel-modules
kmod
./@MODULEDIR@/secmodel_overlay base-kernel-modules kmod
./@MODULEDIR@/secmodel_overlay/secmodel_overlay.kmod base-kernel-modules
kmod
+./@MODULEDIR@/securechroot base-kernel-modules kmod
+./@MODULEDIR@/securechroot/securechroot.kmod base-kernel-modules kmod
./@MODULEDIR@/securelevel base-kernel-modules kmod
./@MODULEDIR@/securelevel/securelevel.kmod base-kernel-modules kmod
./@MODULEDIR@/smbfs base-kernel-modules kmod
--
Best regards, Aleksey Cheusov.
Home |
Main Index |
Thread Index |
Old Index