DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th July 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default Introducing tame(2) with OpenBSD 5.8

The tame(2) syscall is a new kernel facility, announced yesterday on the OpenBSD tech@ mailing list. It was announced there, rather than more broadly, because it is still a work in progress, and developments continue. As I write this, revisions to the tame(2) man page were committed within the last hour.

The tame(2) service will be available with OpenBSD 5.8 when released later this year. This new facility permits both fine-grained service restrictions, and restrictions that are different than chroot(2), and I expect both may be deployed together when appropriate.

The tame(2) syscall is an an application developer's tool to limit the scope of system services available to the application. At the moment, these types of service categories are defined in tame(2), which an application developer may select from:
  • pure computation services
  • memory management
  • file I/O operations
  • read operations
  • write operations
  • temporary file management
  • file and directory creation
  • network services
  • Unix socket services
  • Domain resolution services
  • user and group identity services
  • file descriptor message services
  • child process management
Once syscalls are restricted by tame(2), they cannot be reversed for the life of the tamed process. Any syscall requests that violate the requested restriction will result in a killed or aborted process, as the developer directs.

Last edited by jggimi; 21st July 2015 at 10:25 AM. Reason: typo
Reply With Quote
  #2   (View Single Post)  
Old 21st July 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Just a quick update to note this is still a work in progress -- there was a commit to integrate kdump(8) reporting yesterday.

I expect this application developer's sandbox tool will be further refined before 5.8 is released at the end of the year. I also expect some userland applications may be able to take advantage of it for 5.8, as the 5.8 development window has not yet closed.
Reply With Quote
  #3   (View Single Post)  
Old 22nd July 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Sounds like OpenBSD is getting Mandatory Access Control All that that talk how MAC is useless went down the drain when somebody posted a code on tech@openbsd
Reply With Quote
  #4   (View Single Post)  
Old 22nd July 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

It's being viewed as a different approach to the same problem space. Jonathan Corbet wrote:
Quote:
The core idea behind tame() is that most applications run in two phases: initialization and steady-state execution. The initialization phase typically involves opening files, establishing network connections, and more; after initialization is complete, the program may not need to do any of those things. So there is often an opportunity to reduce an application's privilege level as it moves out of the initialization phase. tame() performs that privilege reduction; it is thus meant to be placed within an application, rather than (as with SELinux) imposed on it from the outside.
Reply With Quote
  #5   (View Single Post)  
Old 29th October 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

For those who follow -current, tame() was renamed to pledge(2), and there have been major developments and restructuring of userland programs for 5.9, which are continuing. All who follow the misc@ mailing list will have seen some of the discussion -- if only from users caught by problems during this rapid development across most of OpenBSD's userland.

As a -current user, I read daily digests of the commit logs. This particular commit to rdate(8) caught my eye, as it is an example of the more active, robust analysis of the code base currently in progress as pledge() gets deployed system-wide.
Code:
rdate is a classic "run as root, talk to internet for a while doing
crazy packet parsing, then do something requiring privilege at the
end" program.  Simplistic pledge would be "stdio rpath wpath inet dns
settime", which is not very useful.  Imagine if it was exploited?  It
could still change your time backwards or write to your passwd file -
game over.  However the pledge "categorization" is educational, and
quickly leads to a priv-sep solution of sorts.

Create a pipe and fork.  child pledges "stdio inet dns", and talks the
time protocols, then writes error message + timeinfo to the pipe.
parent pledges "stdio rpath wpath settime" and reads error
message/timeinfo from pipe.  If error message, spit it out.  Otherwise
handle the time, then pledge "stdio rpath", and finally report how the
time was adjusted.

A bit more complicated.  Now observe that the pledges help test if
it is right...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
NetBSD Introducing NPF, NetBSD's new packet filter s0xxx News 1 14th September 2010 05:22 PM


All times are GMT. The time now is 07:59 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick