D47024.id144525.diff
No OneTemporary
Actions

Size

4 KB

Referenced Files

None

Subscribers

None

D47024.id144525.diff
View Options

	diff --git a/website/content/en/status/report-2024-07-2024-09/mac_do.adoc b/website/content/en/status/report-2024-07-2024-09/mac_do.adoc
	new file mode 100644
	--- /dev/null
	+++ b/website/content/en/status/report-2024-07-2024-09/mac_do.adoc
	@@ -0,0 +1,80 @@
	+=== mac_do(4), setcred(2), mdo(1)
	+
	+Contact: Olivier Certner <olce.freebsd.statusreports@certner.fr>
	+Contact: Baptiste Daroussin <bapt@FreeBSD.org>
	+
	+This project aims at allowing controlled process credentials transitions without
	+using setuid executables but instead leveraging our MAC framework.
	+
	+Traditional programs for credentials change have to execute preliminary
	+operations as root (if not as the effective UID, at a minimum as the saved UID).
	+Some of these programs (e.g., man:sudo[8]) have lots of lines of codes and
	+comprise features (e.g., loadable security modules) that can be dangerous from
	+a security standpoint.
	+Thus, they have a non-negligible attack surface and are difficult to prove
	+correct.
	+Additionally, in most scenarios, the extra features they bring are not
	+necessary.
	+
	+More generally, the threat model for the man:mac_do[4] kernel module part is
	+that of compromised userland programs, be they credentials changers or
	+credentials providers ones.
	+This stance implies that calls to the kernel's credentials-changing API must be
	+monitored by the kernel without upcalls to userland.
	+In practice, man:mac_do[4] must be configured beforehand by the administrator to
	+indicate which transitions of credentials are valid (through a man:sysctl[8]
	+knob, `security.mac.do.rules`).
	+
	+Currently, the companion userland program, man:mdo[1], is the only one that can
	+be authorized to proceed by man:mac_do[4] (for now, based on the executable
	+path).
	+This tiny program simply establishes the new credentials via calls to
	+man:setuid[2], and optionally man:initgroups[3] (calling man:setgroups[2]) and
	+man:setgid[2] (if `-i` was not passed).
	+
	+The resulting set of groups is either that of the target UID based on the
	+password database, or that before the change in UID (when using `-i`).
	+The second alternative can be a security hazard in some cases (as the effective
	+GID is not changed either), whereas the first contradicts the threat model
	+above.
	+The current man:mac_do[4] rules specification indeed only allows to express
	+simple UID transitions towards explicit UIDs from other explicit UIDs or GIDs,
	+without taking account groups.
	+Consequently, the kernel module currently cannot check the content of
	+man:setgroups[2] and man:setgid[2] system calls' parameters, relying completely
	+on man:mdo[1] passing the right information.
	+
	+A new version of man:mac_do[4] has been in the works for approximately a month.
	+Besides fixing concurrency, per-jail settings and MAC policies composition
	+problems, it features a revamp of the rules specification in order to make it
	+possible to finely control which groups are allowed in the resulting
	+credentials.
	+Notably, primary and secondary groups can now be specified independently, and
	+for the latter, GIDs can be tagged as allowed, mandatory or forbidden.
	+A special alias, `.`, can be used to indicate the current process' UIDs or GIDs
	+depending on the context.
	+
	+These new features imply that the man:mac_do[4] module is able to apply
	+credentials change at once, since the allowed final credentials depend on the
	+initial ones through the configured rules.
	+The traditional userland interface (e.g., man:setuid[2], man:setuid[2],
	+man:setgroups[2], etc.) is at odds with this requirement as it necessitates
	+multiple calls to reach the desired final credentials, making the process pass
	+by several successive states that themselves may not be allowed by
	+man:mac_do[4]'s rules.
	+We overcome this limitation by introducing a new system call, man:setcred[2],
	+which allows to request arbitrary transitions of credentials at once.
	+Beside its usefulness in conjunction with man:mac_do[4], it has the benefit of
	+simplifying coding of credentials change in userland.
	+Since it is also extensible, it may have the potential to be adopted later by
	+other systems.
	+
	+Pre-requisite changes are currently under review (see in particular revisions
	+D46886 to D46889 and D46896 to D46923 in
	+link:https://reviews.freebsd.org/[Phabricator]).
	+The bulk of changes in man:mac_do[4]/man:mdo[1] proper will soon be pushed under
	+review as well.
	+An older version of the full series can be seen on
	+link:https://github.com/OlCe2/freebsd-src/tree/oc-mac_do[GitHub].
	+
	+Sponsor: The FreeBSD Foundation

File Metadata

Mime Type: text/plain
Expires: Wed, Apr 8, 10:26 PM (2 h, 39 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 31118806
Default Alt Text: D47024.id144525.diff (4 KB)

D47024.id144525.diffNo OneTemporaryActions

D47024.id144525.diffView Options

File Metadata

Event Timeline

D47024.id144525.diff
No OneTemporary
Actions

D47024.id144525.diff
View Options