Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1)

[RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · David Drysdale <hidden> · 2014-06-30
[PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Christoph Hellwig <hch@infradead.org> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Meredydd Luff <hidden> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Christoph Hellwig <hch@infradead.org> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Meredydd Luff <hidden> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Christoph Hellwig <hch@infradead.org> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Christoph Hellwig <hch@infradead.org> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · David Drysdale <hidden> · 2014-07-08
Re: [PATCH 01/11] fs: add O_BENEATH_ONLY flag to openat(2) · Christoph Hellwig <hch@infradead.org> · 2014-07-09
[PATCH 02/11] selftests: Add test of O_BENEATH_ONLY & openat(2) · David Drysdale <hidden> · 2014-06-30
[PATCH 10/11] capsicum: invocation of new LSM hooks · David Drysdale <hidden> · 2014-06-30
[PATCH 2/5] man-pages: capsicum.7: describe Capsicum capability framework · David Drysdale <hidden> · 2014-06-30
[PATCH 4/5] man-pages: cap_rights_limit.2: limit FD rights for Capsicum · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 4/5] man-pages: cap_rights_limit.2: limit FD rights for Capsicum · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 4/5] man-pages: cap_rights_limit.2: limit FD rights for Capsicum · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 4/5] man-pages: cap_rights_limit.2: limit FD rights for Capsicum · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 4/5] man-pages: cap_rights_limit.2: limit FD rights for Capsicum · David Drysdale <hidden> · 2014-06-30
[PATCH 5/5] man-pages: cap_rights_get: retrieve Capsicum fd rights · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 5/5] man-pages: cap_rights_get: retrieve Capsicum fd rights · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 5/5] man-pages: cap_rights_get: retrieve Capsicum fd rights · David Drysdale <hidden> · 2014-07-01
Re: [PATCH 5/5] man-pages: cap_rights_get: retrieve Capsicum fd rights · Andy Lutomirski <luto@amacapital.net> · 2014-07-01
[PATCH 3/5] man-pages: rights.7: Describe Capsicum primary rights · David Drysdale <hidden> · 2014-06-30
[PATCH 05/11] capsicum: convert callers to use fgetr() etc · David Drysdale <hidden> · 2014-06-30
[PATCH 03/11] capsicum: rights values and structure definitions · David Drysdale <hidden> · 2014-06-30
[PATCH 07/11] capsicum: convert callers to use sockfd_lookupr() etc · David Drysdale <hidden> · 2014-06-30
[PATCH 04/11] capsicum: implement fgetr() and friends · David Drysdale <hidden> · 2014-06-30
[PATCH 09/11] capsicum: implementations of new LSM hooks · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 09/11] capsicum: implementations of new LSM hooks · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [PATCH 09/11] capsicum: implementations of new LSM hooks · Paul Moore <paul@paul-moore.com> · 2014-07-02
Re: [PATCH 09/11] capsicum: implementations of new LSM hooks · David Drysdale <hidden> · 2014-07-02
[PATCH 06/11] capsicum: implement sockfd_lookupr() · David Drysdale <hidden> · 2014-06-30
[PATCH 08/11] capsicum: add new LSM hooks on FD/file conversion · David Drysdale <hidden> · 2014-06-30
[PATCH 11/11] capsicum: add syscalls to limit FD rights · David Drysdale <hidden> · 2014-06-30
[PATCH 1/5] man-pages: open.2: describe O_BENEATH_ONLY flag · David Drysdale <hidden> · 2014-06-30
Re: [PATCH 1/5] man-pages: open.2: describe O_BENEATH_ONLY flag · Andy Lutomirski <luto@amacapital.net> · 2014-06-30
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Paolo Bonzini <pbonzini@redhat.com> · 2014-07-03
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Loganaden Velvindron <hidden> · 2014-07-03
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · David Drysdale <hidden> · 2014-07-03
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Paolo Bonzini <pbonzini@redhat.com> · 2014-07-04
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · David Drysdale <hidden> · 2014-07-07
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Paolo Bonzini <pbonzini@redhat.com> · 2014-07-07
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · David Drysdale <hidden> · 2014-07-07
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Alexei Starovoitov <hidden> · 2014-07-07
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Kees Cook <hidden> · 2014-07-08
Re: [RFC PATCH 00/11] Adding FreeBSD's Capsicum security framework (part 1) · Pavel Machek <hidden> · 2014-08-16

From: Paolo Bonzini <pbonzini@redhat.com>
Date: 2014-07-03 09:12:48
Also in: lkml, qemu-devel

Il 30/06/2014 12:28, David Drysdale ha scritto:

Hi all,

The last couple of versions of FreeBSD (9.x/10.x) have included the
Capsicum security framework [1], which allows security-aware
applications to sandbox themselves in a very fine-grained way.  For
example, OpenSSH now (>= 6.5) uses Capsicum in its FreeBSD version to
restrict sshd's credentials checking process, to reduce the chances of
credential leakage.

Hi David,

we've had similar goals in QEMU.  QEMU can be used as a virtual machine 
monitor from the command line, but it also has an API that lets a 
management tool drive QEMU via AF_UNIX sockets.  Long term, we would 
like to have a restricted mode for QEMU where all file descriptors are 
obtained via SCM_RIGHTS or /dev/fd, and syscalls can be locked down.

Currently we do use seccomp v2 BPF filters, but unfortunately this 
didn't help very much.  QEMU supports hotplugging hence the filter must 
whitelist anything that _might_ be used in the future, which is 
generally... too much.

Something like Capsicum would be really nice because it attaches 
capabilities to file descriptors.  However, I wonder however how 
extensible Capsicum could be, and I am worried about the proliferation 
of capabilities that its design naturally leads to.

Given Linux's previous experience with BPF filters, what do you think 
about attaching specific BPF programs to file descriptors?  Then 
whenever a syscall is run that affects a file descriptor, the BPF 
program for the file descriptor (attached to a struct file* as in 
Capsicum) would run in addition to the process-wide filter.

An equivalent of PR_SET_NO_NEW_PRIVS can also be added to file 
descriptors, so that a program that doesn't lock down syscalls can still 
lock down the operations (including fcntls and ioctls) on specific file 
descriptors.

Converting FreeBSD capabilities to BPF programs can be easily 
implemented in userspace.

  [Capsicum also includes 'capability mode', which locks down the
  available syscalls so the rights restrictions can't just be bypassed
  by opening new file descriptors; I'll describe that separately later.]

This can also be implemented in userspace via seccomp and 
PR_SET_NO_NEW_PRIVS.

  [Policing the rights checks anywhere else, for example at the system
  call boundary, isn't a good idea because it opens up the possibility
  of time-of-check/time-of-use (TOCTOU) attacks [2] where FDs are
  changed (as openat/close/dup2 are allowed in capability mode) between
  the 'check' at syscall entry and the 'use' at fget() invocation.]

In the case of BPF filters, I wonder if you could stash the BPF 
"environment" somewhere and then use it at fget() invocation. 
Alternatively, it can be reconstructed at fget() time, similar to your 
introduction of fgetr().

Thanks,

Paolo

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help