|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
||||
systrace(1) is removed for OpenBSD 6.0
The systrace() toolkit was a system call policy implementation tool. A policy of allowed syscalls could be devised and applied to a specific application.
In practice, this was difficult to manage universally because the policy implementation was external to the application. Every application change required a review and revision of the permitted system calls. At one time, there was a central repository of user-suggested policies -- called the "Hairy Eyeball Project" -- but each user had to conduct their own audit, and once the project ceased operations (2004? 2005?), users became completely responsible for their own policy development, and usage waned. In addition, a carefully crafted application could circumvent systrace() policy enforcement, and when that was discovered and published, the use of systrace() as a security tool ended. OpenBSD continued to keep systrace() available because it was valuable during port development of 3rd party applications. The ports(7) system had a knob, USE_SYSTRACE, which would enable a standard policy for what any port was allowed to do during building of the application and installing into the ports() fake infrastructure. Generally, that policy would prevent the port from writing to any component of the filesystem outside the ports object tree, or opening network sockets during building. Was. Had. Would. These policies became unneeded once it was possible for unprivileged users to build a port except for the final pkg_add(1) used during the make install step. OpenBSD's bulk port building tool dpb(1) has a security model that provides granularity of access, simply by using different unprivileged users for different parts of the build. As an example, there can be a BUILD_USER and a FETCH_USER with different authorizations. Finally, a much simpler and more deployable system call policy management tool has replaced systrace(): pledge(2). --- The OpenBSD project works hard to remove facilities which aren't being actively used or maintained. Old code that is retained without constant testing can become a security problem. Removal eliminates that risk. --- The first of many commits: http://marc.info/?l=openbsd-cvs&m=146161167911029&w=2 Last edited by jggimi; 26th April 2016 at 03:41 PM. Reason: added link |
|
||||
Pretty much all I know about the Pledge() approach is what I gleaned from Theo's presentation (so, not much). What seems [to me] to be missing is instrumentation, records, analysis, and feedback.
My concern is the reliability of the overall computing system will decrease. Some programs will violate their pledge and be terminated (hasta la vista, baby) because the software is tricky and a specific context might trigger the violation. It seems like some kind of snapshot (black-box) of the circumstances, environment, and state of the terminated program would be needed to determine the source of the problem. Without that, developers might never get a clear view of tricky, transient problems in some programs. |
|
||||
Everything you currently consider missing is available. Because I used them all.
Last edited by jggimi; 27th April 2016 at 10:32 AM. Reason: typos |
|
||||
Quote:
|
|
||||
I can't speak to the point. Mostly because I'm heading out the door to $DAYJOB and won't be able to review the video you linked. But having used both systrace() and pledge(), and liking both, I can speak to the key differences in policy authorization.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD Opera will be removed for 5.8 | jggimi | News | 16 | 26th March 2017 03:35 PM |
OpenBSD nginx will be removed from base in OpenBSD-5.7 | jggimi | News | 2 | 27th August 2014 05:59 PM |
OpenSolaris equivalent of systrace? | DraconianTimes | Solaris | 9 | 31st January 2009 05:36 AM |
Systrace | Oko | OpenBSD Security | 1 | 29th December 2008 01:52 PM |
Why Does FreeBSD reboot if USB Drive Is Removed before unmount | bsdforlife | FreeBSD General | 10 | 2nd September 2008 06:18 AM |