[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: RFC: New security model secmodel_securechroot(9)
> You've listed a lot of details about how securechroot works. Can you
> elaborate a little on more precisely what its goal is, and (at least
> very roughly) sketch a proof that the details you've implemented
> accomplish that goal?
securechroot relies solely on kauth(9), so every authorization request
supported by kauth(9) is either defered or denied by securechroot.
> Can you be more specific about the destructive modifications you are
> trying to prevent,
- access to files and processes outside the chroot
- direct access to the hardware and things like entropy pool
- things that can influence on processes outside the chroot
> and can you show (at least informally) that every pathway in the
> kernel to them is blocked by the operations you have prohibited, or at
> least show under what hypotheses these pathways are blocked?
In short, this is a zone of responsibility of kauth(9).
> That is, what an operator needs to do in order to use a
> securechroot safely?
> For example, let's suppose I'm an operator and I naively populate
> /securechroot/dev with `MAKEDEV all'. At a cursory examination, it
> seems to me that a uid 0 process in the securechroot could probably
> write to /dev/rwd0d in the securechroot and cause mayhem that way.
> If so, presumably I ought not to have created rwd0d in the chroot.
> But what is it safe for me to do?
Rules for creating securechroot-ed environment are basicly the same as
for normal chroot-s. No suid executables, no superfluous executables
especially compilers and binutils, read-only null mounts for unchanged
data and so on. The only exception I see is device files. It is strongly
recomended to create *only* required device files as
KAUTH_DEVICE_RAWIO_SPEC request for disks is currently defered by
securechroot (denied only for /dev/kmem and /dev/mem).
> Do you have examples of safe use of securechroots to contain practical
dict://dictd.xdsl.by - RFC2229 service for slavic dictionaries
dict://dictd.xdsl.by:26280 - pkgsrc pkg_online database
The only problem is that I couldn't find an easy way to load modules at
boot time like it is provided by Linux's /etc/modules. I implemented
home-made rc.d script.
Best regards, Aleksey Cheusov.
Main Index |
Thread Index |