Re: RFC: New security model secmodel_securechroot(9)

To: tech-kern%netbsd.org@localhost
Subject: Re: RFC: New security model secmodel_securechroot(9)
From: Aleksey Cheusov <cheusov%tut.by@localhost>
Date: Sun, 10 Jul 2011 18:42:51 +0300

> You've listed a lot of details about how securechroot works.  Can you
> elaborate a little on more precisely what its goal is, and (at least
> very roughly) sketch a proof that the details you've implemented
> accomplish that goal?
securechroot relies solely on kauth(9), so every authorization request
supported by kauth(9) is either defered or denied by securechroot.

> Can you be more specific about the destructive modifications you are
> trying to prevent,
In short
- access to files and processes outside the chroot
- direct access to the hardware and things like entropy pool
- reboot
- things that can influence on processes outside the chroot

> and can you show (at least informally) that every pathway in the
> kernel to them is blocked by the operations you have prohibited, or at
> least show under what hypotheses these pathways are blocked?
In short, this is a zone of responsibility of kauth(9).

> That is, what an operator needs to do in order to use a
> securechroot safely?
modload securechroot

> For example, let's suppose I'm an operator and I naively populate
> /securechroot/dev with `MAKEDEV all'.  At a cursory examination, it
> seems to me that a uid 0 process in the securechroot could probably
> write to /dev/rwd0d in the securechroot and cause mayhem that way.
> If so, presumably I ought not to have created rwd0d in the chroot.
> But what is it safe for me to do?

Rules for creating securechroot-ed environment are basicly the same as
for normal chroot-s. No suid executables, no superfluous executables
especially compilers and binutils, read-only null mounts for unchanged
data and so on. The only exception I see is device files. It is strongly
recomended to create *only* required device files as
KAUTH_DEVICE_RAWIO_SPEC request for disks is currently defered by
securechroot (denied only for /dev/kmem and /dev/mem).

> Do you have examples of safe use of securechroots to contain practical
> applications?
http://dictd.xdsl.by
dict://dictd.xdsl.by       - RFC2229 service for slavic dictionaries
dict://dictd.xdsl.by:26280 - pkgsrc pkg_online database 
(pkgtools/pkg_online-client)

The only problem is that I couldn't find an easy way to load modules at
boot time like it is provided by Linux's /etc/modules.  I implemented
home-made rc.d script.

-- 
Best regards, Aleksey Cheusov.

Follow-Ups:
- Re: RFC: New security model secmodel_securechroot(9)
  - From: Thor Lancelot Simon

References:
- Re: RFC: New security model secmodel_securechroot(9)
  - From: Taylor R Campbell

Prev by Date: Re: RFC: New security model secmodel_securechroot(9)
Next by Date: Re: RFC: New security model secmodel_securechroot(9)
Previous by Thread: Re: RFC: New security model secmodel_securechroot(9)
Next by Thread: Re: RFC: New security model secmodel_securechroot(9)
Indexes:

Home | Main Index | Thread Index | Old Index