看板FB_security
標 題capsicum and ping(8)
發信站NCTU CS FreeBSD Server (Fri Jan 10 04:19:04 2014)
轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!freebsd.org!ow
--bg08WKrSYDhXBjb5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hello.
I would like to propose a patch for ping(8), which adds support for
capability mode sandbox.
The goals for this little project were:
a) to see what problems/burdens could be faced with compartmentalization
of a network utility;
b) increase security level of the day-to-day application with minimal
intrusion to the code.
To summarize on 'a)', following changes were made in original ping to
meet capsicum requirements:
1) sendto() was replaced with connect()+send() pair, since we're not
allowed to issue sendto() with non-NULL destination;
2) one socket 's' was replaced with two sockets 's' for sending and 's1'
for receiving. It was done for special use case, when user ping
multicast or broadcast address. As connect() man page states, socket
is allowed to receive messages only from address to which it was
connect()'ed and this is nonsense for multicast/broadcast;
3) pr_addr() function has been slightly rewritten to support casper
daemon and its cap_gethostbyaddr() function;
4) some setsockopts() were adjusted, since we use two sockets instead of
one.
Place for cap_enter() call was chosen to balance simplicity of the logic
for entering capability mode, code changes and protection from
potentially dangerous place (receiving/"parsing" packets from the
network).
Finally, this compartmentalization logic will apply:
- If '-n' (numeric output) flag is given - enter capability mode;
- Else, if build WITH_CASPER: try to communicate with it, on fail issue
warning and proceed without capsicum, if cap_init() is successful all
other casper errors (e. g. not being able to initialize DNS services)
treated as fatal and ping aborts;
- Else, if build WITHOUT_CASPER: proceed without capsicum.
Also, please note, that ping has '-d' flag, which turn on SO_DEBUG
setsockopt() and its behavior depends on external code (which also
doesn't exist not, but could be written in future). If we enter capsicum
with this option (although, I'm sure it's not widely used) this (future)
external code may not work completely, since capsicum impose a lot of
restrictions.
I would like to ask your comments/reviews on this patch and approach.
Thanks to Gleb Smirnoff, Pawel Jakub Dawidek and Robert Watson for
helping me with some tricky capsicum things, which I tried to summarize
here.
Be well.
--bg08WKrSYDhXBjb5
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="ping_20140109.patch"
Index: sbin/ping/Makefile
===================================================================
--- sbin/ping/Makefile (revision 260485)
+++ sbin/ping/Makefile (working copy)
@@ -1,6 +1,8 @@
# @(#)Makefile 8.1 (Berkeley) 6/5/93
# $FreeBSD$
+.include <bsd.own.mk>
+
PROG= ping
MAN= ping.8
BINOWN= root
@@ -9,6 +11,12 @@
DPADD= ${LIBM}
LDADD= -lm
+.if ${MK_CASPER} != "no"
+DPADD+= ${LIBCAPSICUM} ${LIBNV}
+LDADD+= -lcapsicum -lnv
+CFLAGS+=-DHAVE_LIBCAPSICUM
+.endif
+
.if !defined(RELEASE_CRUNCH)
CFLAGS+=-DIPSEC
DPADD+= ${LIBIPSEC}
Index: sbin/ping/ping.c
===================================================================
--- sbin/ping/ping.c (revision 260485)
+++ sbin/ping/ping.c (working copy)
@@ -63,6 +63,7 @@
*/
#include <sys/param.h> /* NB: we rely on this for <sys/types.h> */
+#include <sys/capability.h>
#include <sys/socket.h>
#include <sys/sysctl.h>
#include <sys/time.h>
@@ -74,6 +75,11 @@
#include <netinet/ip_icmp.h>
#include <netinet/ip_var.h>
#include <arpa/inet.h>
+#ifdef HAVE_LIBCAPSICUM
+#include <libcapsicum.h>
+#include <libcapsicum_dns.h>
+#include <libcapsicum_service.h>
+#endif /* HAVE_LIBCAPSICUM */
#ifdef IPSEC
#include <netipsec/ipsec.h>
@@ -157,7 +163,8 @@
struct sockaddr_in whereto; /* who to ping */
int datalen = DEFDATALEN;
int maxpayload;
-int s; /* socket file descriptor */
+int s; /* send socket file descriptor */
+int s1; /* receive socket file descriptor */
u_char outpackhdr[IP_MAXPACKET], *outpack;
char BBELL = '\a'; /* characters written for MISSED and AUDIBLE */
char BSPACE = '\b'; /* characters written for flood */
@@ -197,8 +204,15 @@
volatile sig_atomic_t finish_up; /* nonzero if we've been told to finish up */
volatile sig_atomic_t siginfo_p;
+#ifdef HAVE_LIBCAPSICUM
+cap_channel_t *capdns;
+#endif /* HAVE_LIBCAPSICUM */
+
static void fill(char *, char *);
static u_short in_cksum(u_short *, int);
+#ifdef HAVE_LIBCAPSICUM
+static cap_channel_t *capdns_setup(void);
+#endif /* HAVE_LIBCAPSICUM */
static void check_status(void);
static void finish(void) __dead2;
static void pinger(void);
@@ -234,7 +248,7 @@
double t;
u_long alarmtimeout, ultmp;
int almost_done, ch, df, hold, i, icmp_len, mib[4], preload, sockerrno,
- tos, ttl;
+ sock1errno, tos, ttl;
char ctrl[CMSG_SPACE(sizeof(struct timeval))];
char hnamebuf[MAXHOSTNAMELEN], snamebuf[MAXHOSTNAMELEN];
#ifdef IP_OPTIONS
@@ -246,6 +260,8 @@
#ifdef IPSEC_POLICY_IPSEC
policy_in = policy_out = NULL;
#endif
+ cap_rights_t rights_s, rights_s1;
+ int cansandbox = 0;
/*
* Do the stuff that we need root priv's for *first*, and
@@ -254,6 +270,8 @@
*/
s = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
sockerrno = errno;
+ s1 = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+ sock1errno = errno;
if (setuid(getuid()) != 0)
err(EX_NOPERM, "setuid() failed");
@@ -573,6 +591,19 @@
hostname = hnamebuf;
}
+ if (s < 0) {
+ errno = sockerrno;
+ err(EX_OSERR, "socket");
+ }
+
+ if (s1 < 0) {
+ errno = sock1errno;
+ err(EX_OSERR, "socket1");
+ }
+
+ if (connect(s, (struct sockaddr *)&whereto, sizeof(whereto)) != 0)
+ err(1, "connect");
+
if (options & F_FLOOD && options & F_INTERVAL)
errx(EX_USAGE, "-f and -i: incompatible options");
@@ -593,14 +624,13 @@
ident = getpid() & 0xFFFF;
- if (s < 0) {
- errno = sockerrno;
- err(EX_OSERR, "socket");
- }
hold = 1;
- if (options & F_SO_DEBUG)
+ if (options & F_SO_DEBUG) {
(void)setsockopt(s, SOL_SOCKET, SO_DEBUG, (char *)&hold,
sizeof(hold));
+ (void)setsockopt(s1, SOL_SOCKET, SO_DEBUG, (char *)&hold,
+ sizeof(hold));
+ }
if (options & F_SO_DONTROUTE)
(void)setsockopt(s, SOL_SOCKET, SO_DONTROUTE, (char *)&hold,
sizeof(hold));
@@ -612,7 +642,7 @@
buf = ipsec_set_policy(policy_in, strlen(policy_in));
if (buf == NULL)
errx(EX_CONFIG, "%s", ipsec_strerror());
- if (setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY,
+ if (setsockopt(s1, IPPROTO_IP, IP_IPSEC_POLICY,
buf, ipsec_get_policylen(buf)) < 0)
err(EX_CONFIG,
"ipsec policy cannot be configured");
@@ -655,6 +685,33 @@
ip->ip_src.s_addr = source ? sock_in.sin_addr.s_addr : INADDR_ANY;
ip->ip_dst = to->sin_addr;
}
+
+ if (options & F_NUMERIC)
+ cansandbox = 1;
+#ifdef HAVE_LIBCAPSICUM
+ else if ((capdns = capdns_setup()) != NULL)
+ cansandbox = 1;
+#endif /* HAVE_LIBCAPSICUM */
+
+ /*
+ * Here we enter capapility mode (see capsicum(4)). Further down
+ * creation of new file descriptors is forbidden.
+ * We must connect(2) our socket before this point.
+ */
+ if (cansandbox == 1 && cap_enter() < 0 && errno != ENOSYS)
+ err(1, "cap_enter");
+
+ if (cap_sandboxed())
+ fprintf(stderr, "capability mode sandbox enabled\n");
+
+ cap_rights_init(&rights_s1, CAP_RECV, CAP_EVENT, CAP_SETSOCKOPT);
+ if (cap_rights_limit(s1, &rights_s1) < 0 && errno != ENOSYS)
+ err(1, "cap_rights_limit socket1");
+
+ cap_rights_init(&rights_s, CAP_SEND, CAP_SETSOCKOPT);
+ if (cap_rights_limit(s, &rights_s) < 0 && errno != ENOSYS)
+ err(1, "cap_rights_limit socket");
+
/* record route option */
if (options & F_RROUTE) {
#ifdef IP_OPTIONS
@@ -698,8 +755,11 @@
}
#ifdef SO_TIMESTAMP
{ int on = 1;
- if (setsockopt(s, SOL_SOCKET, SO_TIMESTAMP, &on, sizeof(on)) < 0)
+ if (setsockopt(s1, SOL_SOCKET, SO_TIMESTAMP, &on, sizeof(on)) < 0)
err(EX_OSERR, "setsockopt SO_TIMESTAMP");
+ cap_rights_clear(&rights_s1, CAP_SETSOCKOPT);
+ if (cap_rights_limit(s1, &rights_s1) < 0 && errno != ENOSYS)
+ err(1, "cap_rights_limit socket1 setsockopt");
}
#endif
if (sweepmax) {
@@ -733,12 +793,20 @@
* as well.
*/
hold = IP_MAXPACKET + 128;
- (void)setsockopt(s, SOL_SOCKET, SO_RCVBUF, (char *)&hold,
+ (void)setsockopt(s1, SOL_SOCKET, SO_RCVBUF, (char *)&hold,
sizeof(hold));
if (uid == 0)
(void)setsockopt(s, SOL_SOCKET, SO_SNDBUF, (char *)&hold,
sizeof(hold));
+ /*
+ * We don't call setsockopt() anywhere further for 's', we don't need
+ * corresponding capability, drop it.
+ */
+ cap_rights_clear(&rights_s, CAP_SETSOCKOPT);
+ if (cap_rights_limit(s, &rights_s) < 0 && errno != ENOSYS)
+ err(1, "cap_rights_limit socket setsockopt");
+
if (to->sin_family == AF_INET) {
(void)printf("PING %s (%s)", hostname,
inet_ntoa(to->sin_addr));
@@ -820,7 +888,7 @@
if ((unsigned)s >= FD_SETSIZE)
errx(EX_OSERR, "descriptor too large");
FD_ZERO(&rfds);
- FD_SET(s, &rfds);
+ FD_SET(s1, &rfds);
(void)gettimeofday(&now, NULL);
timeout.tv_sec = last.tv_sec + intvl.tv_sec - now.tv_sec;
timeout.tv_usec = last.tv_usec + intvl.tv_usec - now.tv_usec;
@@ -834,7 +902,7 @@
}
if (timeout.tv_sec < 0)
timerclear(&timeout);
- n = select(s + 1, &rfds, NULL, NULL, &timeout);
+ n = select(s1 + 1, &rfds, NULL, NULL, &timeout);
if (n < 0)
continue; /* Must be EINTR. */
if (n == 1) {
@@ -845,7 +913,7 @@
msg.msg_controllen = sizeof(ctrl);
#endif
msg.msg_namelen = sizeof(from);
- if ((cc = recvmsg(s, &msg, 0)) < 0) {
+ if ((cc = recvmsg(s1, &msg, 0)) < 0) {
if (errno == EINTR)
continue;
warn("recvmsg");
@@ -981,9 +1049,7 @@
ip->ip_sum = in_cksum((u_short *)outpackhdr, cc);
packet = outpackhdr;
}
- i = sendto(s, (char *)packet, cc, 0, (struct sockaddr *)&whereto,
- sizeof(whereto));
-
+ i = send(s, (char *)packet, cc, 0);
if (i < 0 || i != cc) {
if (i < 0) {
if (options & F_FLOOD && errno == ENOBUFS) {
@@ -1604,12 +1670,21 @@
struct hostent *hp;
static char buf[16 + 3 + MAXHOSTNAMELEN];
- if ((options & F_NUMERIC) ||
- !(hp = gethostbyaddr((char *)&ina, 4, AF_INET)))
+ if (options & F_NUMERIC)
return inet_ntoa(ina);
+
+#ifdef HAVE_LIBCAPSICUM
+ if (capdns != NULL)
+ hp = cap_gethostbyaddr(capdns, (char *)&ina, 4, AF_INET);
else
- (void)snprintf(buf, sizeof(buf), "%s (%s)", hp->h_name,
- inet_ntoa(ina));
+#endif /* HAVE_LIBCAPSICUM */
+ hp = gethostbyaddr((char *)&ina, 4, AF_INET);
+
+ if (hp == NULL)
+ return inet_ntoa(ina);
+
+ (void)snprintf(buf, sizeof(buf), "%s (%s)", hp->h_name,
+ inet_ntoa(ina));
return(buf);
}
@@ -1682,6 +1757,36 @@
}
}
+#ifdef HAVE_LIBCAPSICUM
+static cap_channel_t *
+capdns_setup(void)
+{
+ cap_channel_t *capcas, *capdnsloc;
+ const char *types[1];
+ int families[1];
+
+ capcas = cap_init();
+ if (capcas == NULL) {
+ warn("unable to contact casperd");
+ return (NULL);
+ }
+ capdnsloc = cap_service_open(capcas, "system.dns");
+ /* Casper capability no longer needed. */
+ cap_close(capcas);
+ if (capdnsloc == NULL)
+ err(1, "unable to open system.dns service");
+ /* Limit system.dns to reverse DNS lookups. */
+ types[0] = "ADDR";
+ if (cap_dns_type_limit(capdnsloc, types, 1) < 0)
+ err(1, "unable to limit access to system.dns service");
+ families[0] = AF_INET;
+ if (cap_dns_family_limit(capdnsloc, families, 1) < 0)
+ err(1, "unable to limit access to system.dns service");
+
+ return (capdnsloc);
+}
+#endif /* HAVE_LIBCAPSICUM */
+
#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
#define SECOPT " [-P policy]"
#else
--bg08WKrSYDhXBjb5
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "
[email protected]"
--bg08WKrSYDhXBjb5--