Ya'll need to discover pledge(2), unveil(2) and privilege separation.
https://twitter.com/majek04/status/1034759172041129984 …
-
-
I am not particularly experienced in this area, so I'd like to learn why would it be bad. An eg, the parent process passes a R/W fd to only the files the child needs to write to, and then make everything else R/O.
-
It would also be nice if you can point me at some doco on this stuff, most of what I read is system specific hence a bit opinionated (Linux people think seccomp is better, OpenBSD people would say pledge/unveil is, I hope you get my point :))
-
Capability Myths Demolished http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf … is pretty good at explaining capability systems; it predates Capsicum and doesn't directly apply to the capability-as-fd hybrid model but gives a good overview of the concepts
-
Capsicum is like snakeoil, a name drop into conversations about security. With very few practical applications fully taking advantage of its "capabilities". And the ones in the past that perhaps did, *cough* (where's chrome?) are vapourware & not maintained. Sorry, not buying it.
-
Chrome pledges by default today, and has for some time. unveil(2) is also ready for testing and can be easily enabled. Capsicum patches never made it into FreeBSD ports. The examples elsewhere basically fiddle with a few descriptors, not clear how they're making things "secure".
-
Compare: https://github.com/openssh/openssh-portable/blob/master/sandbox-capsicum.c … To: https://github.com/openssh/openssh-portable/blob/master/sandbox-seccomp-filter.c … https://github.com/openssh/openssh-portable/blob/master/sandbox-darwin.c …https://github.com/openssh/openssh-portable/blob/master/sandbox-pledge.c …
-
The hard part of any sandboxing is the design of appropriate boundaries (or similarly, decomposition of existing software). In OpenSSH done well, and long ago. A few dozen lines in the sandbox-*.c files vs the ~100k LOC of OpenSSH is not all that interesting.
-
Also, what limits does the pledge sandbox place on the monitor m_recvfd and m_log_sendfd?
- 2 more replies
New conversation -
-
-
To be clear, rights (attached to file descriptors) and capabilities (== file descriptors) are drop-only.
-
If they're drop-only, where are they originally inherited from?
-
For a tweet-length answer: in general, from before entering capability mode, or by being passed in from another sandbox.
-
For an example of the end-goal of a Capsicum-based hybrid capability system, check out https://nuxi.nl/
End of conversation
New conversation -
-
-
Capsicum capabilities are fundamentally distinct from privileges; capability mode turns off global namespaces and ambient authority, and there's no way to "add" dropped privileges from within
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.