Hello!
I was quiet amazed about the smooth implementation of bsdjail lsm.
But same as with the chroot command I tried to jail everything,
from apache to mozilla.
However, setting up a separate jail directory for all those tasks (I
even made one for bzflag including OpenGL libraries), is not only
bugging but also takes quiet some time for maintaining. Not to
mention wasted disk space used by files all jails have in common
(/[s]bin and /lib, at least).
So I made a new lsm, that tries to solve these issues and
also addresses some others:
* The module (called gtsec, btw) provides two types of securities:
local and network.
* Local security provides:
* softjail mode:
A process gets a new home directory, has absolutely no access to
/home and /root (not even reading) and write access to /dev,
/tmp, /var, only. The rest of the fs is read-only.
At the moment these directories are hardcoded.
For this to work the system needs to know the home directory's
path for each process, which is provided by /etc/passwd.
But each process needs to have another home directory, so
/etc/passwd must be handled dynamically.
This is a major downside as I needed to symlink /etc/passwd
to /proc/gtsec/passwd. This is a problem if gtsec is not
loaded or otherwise cannot provide a valid passwd.
After loading the module, the 'normal' contents of /etc/passwd must
be pushed to the kernel by concatenating it to
/proc/gtsec/passwd.
However, once this is set up, it works quiet well.
* An up-to-date version of bsdjail.
Still useful for real server applications like ssh or apache.
* Network security provides:
* vnetonly mode (a.k.a virtual network):
Limit the network abilities of a process (and its children, of
course).
The process can only connect to IPs in the virtual network.
E.g.: You can limit your mail client to connections to
pop3/imap and smtp server and e.g. avoid web-bugs (viewing of
a html page within the mail client loads an image from the
sender's web server. The sender then knows, you have read the mail).
E.g.: Or you can limit a process to loopback (and e.g.
LAN) addresses only. This comes in handy, if you do not trust
some programs: Why must the precompiled acroread have web
access?
* allbutvnet mode:
Is basically the same as vnetonly, but inverts the policy: A
connections is allowed if it would be denied by vnetonly.
You can use local and network securities together, say softjailing a
process to /tmp/bzflag.home and vnetonly-ing it to internet
addresses only. So, you can be sure your "normal" home directory
data is save, as is the data from you local NFS server.
To set up this situation, you would have to do:
# Load gtsec lsm (as root):
insmod ./gtsec.ko # [OR modprobe gtsec]
# Tell the contents of passwd file (as root, once):
cat /etc/passwd > /proc/gtsec/passwd.softjail
# This is our LAN (as user/root):
echo -n "vnet_ip 127.0.0.1/255.0.0.0" > /proc/$$/attr/exec
echo -n "vnet_ip 0.0.0.0" > /proc/$$/attr/exec
echo -n "vnet_ip 192.168.1.0/24" > /proc/$$/attr/exec
# But exclude the proxy server:
echo -n "novnet_ip 192.168.1.200" > /proc/$$/attr/exec
# DENY all connections to vnet, i.e. web and proxy only (with immediate effect):
echo -n "allbutvnet" > /proc/$$/attr/exec
# Now prepare new home directory:
NEWHOME="/tmp/bzflag.home"
test -d "$NEWHOME" || mkdir -p "$NEWHOME"
chmod 0700 "$NEWHOME"
test ! -z "${XAUTHORITY}" && cp -f "${XAUTHORITY}" "${NEWHOME}/.Xauthority" 2>/dev/null
# The new username:
USERNAME="$USER"
# Set options:
echo -n "sjhome $NEWHOME" > /proc/$$/attr/exec
echo -n "sjuser $USERNAME" > /proc/$$/attr/exec
# activate (with immediate effect)
echo -n "softjail" > /proc/$$/attr/exec
# Start shell with new information (alternatively you could change
# env-vars of the current shell):
exec /usr/bin/env -i - TERM="$TERM" HOME="${NEWHOME}" \
XAUTHORITY="${NEWHOME}/.Xauthority" \
DISPLAY="${DISPLAY}" \
HISTFILE="${NEWHOME}/.bash_history" \
USER="$USER" \
USERNAME="$USERNAME" \
/bin/sh -l
I made some scripts to make that easier (see scripts/softjail).
Regards,
Gerrit
This archive was generated by hypermail 2b30 : Sun May 16 2004 - 12:24:22 PDT