praudit(8): Capsicumify
AbandonedPublic
Actions

Authored by cem on Sep 18 2016, 8:05 AM.

Details

Reviewers

emaste
allanjude
brueffer
gnn
rwatson
sson

Summary

Add sys/capsicum.h detection to configure.ac script. Regenerate
configure, config.h.in, config.h.

Preopen all input file descriptors before entering Capsicum sandbox.

fcntl GETFL capability is needed for fdopen(3). FSTAT and IOCTL are
also used by stdio.

A number of kludges were made to preload files before entering the
Capsicum sandbox.

Test Plan

sudo service auditd onestart
sudo praudit /var/audit/current

Diff Detail

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 5881
Build 6168: arc lint + arc unit

Event Timeline

cem updated this revision to Diff 20427.Sep 18 2016, 8:05 AM

cem retitled this revision from to praudit(1): First cut Capsicumification.

cem updated this object.

cem edited the test plan for this revision. (Show Details)

cem added reviewers: emaste, allanjude, rwatson.

Herald added a subscriber: imp. · View Herald TranscriptSep 18 2016, 8:05 AM

High-level comments rather than a detailed code review:

(1) Capsicum changes should be well received by the OpenBSM community, as it's largely made up of FreeBSD folk, although Apple folk (etc) are also interested. Do make sure you update the configure framework to be aware of Capsicum, however, likely testing for the feature by looking for capsicum.h.

(2) I think sandboxing around the BSM parsing code is a really good idea -- parsing is always a risky business, and there's no need for the general execution environment to place trust in audit trails that may come from compromised hosts.

(3) It would be nice to be able to sandbox around processing of multiple file arguments. This might cause a change in the event model to introduce additional processes if we want per-input sandboxes. Otherwise, it's probably OK to open a vector of file descriptors up front and process them one by one, placing a lower limit on the number of arguments that can be processes. ARG_MAX is already a pretty arbitrary limit.

rwatson added reviewers: sson, brueffer, gnn.Sep 18 2016, 10:30 AM

Add sys/capsicum.h detection to configure.ac
- Regenerate configure, config.h.in, config.h.

Preopen all input files before entering sandbox.
- I am not super worried about limiting the number of input files; worst case you DoS yourself with malloc.

Add additional needed capabilities for fdopen(3), isatty(3).

Thanks for taking a look.

cem retitled this revision from praudit(1): First cut Capsicumification to praudit(8): Capsicumify.Sep 19 2016, 1:20 AM

cem updated this object.

emaste added inline comments.Sep 19 2016, 1:37 AM

contrib/openbsm/bin/praudit/praudit.c

185–188

As a general rule I think we don't need to be so specific in the error message since it's not actionable by the user anyway.

Perhaps just something like

if ((cap_rights_limit(STDOUT_FILENO... ) < 0 ... ||
    (cap_rights_limit(STDERR_FILENO... ) < 0 ... ||
    (cap_ioctls_limit(STDOUT_FILENO... ) < 0 ... ||
    (cap_ioctls_limit(STDERR_FILENO... ) < 0 ... )
        err(1, "unable to limit rights for stdio");