> You've listed a lot of details about how securechroot works. Can you > elaborate a little on more precisely what its goal is, and (at least > very roughly) sketch a proof that the details you've implemented > accomplish that goal? securechroot relies solely on kauth(9), so every authorization request supported by kauth(9) is either defered or denied by securechroot.
> Can you be more specific about the destructive modifications you are > trying to prevent, In short - access to files and processes outside the chroot - direct access to the hardware and things like entropy pool - reboot - things that can influence on processes outside the chroot > and can you show (at least informally) that every pathway in the > kernel to them is blocked by the operations you have prohibited, or at > least show under what hypotheses these pathways are blocked? In short, this is a zone of responsibility of kauth(9). > That is, what an operator needs to do in order to use a > securechroot safely? modload securechroot > For example, let's suppose I'm an operator and I naively populate > /securechroot/dev with `MAKEDEV all'. At a cursory examination, it > seems to me that a uid 0 process in the securechroot could probably > write to /dev/rwd0d in the securechroot and cause mayhem that way. > If so, presumably I ought not to have created rwd0d in the chroot. > But what is it safe for me to do? Rules for creating securechroot-ed environment are basicly the same as for normal chroot-s. No suid executables, no superfluous executables especially compilers and binutils, read-only null mounts for unchanged data and so on. The only exception I see is device files. It is strongly recomended to create *only* required device files as KAUTH_DEVICE_RAWIO_SPEC request for disks is currently defered by securechroot (denied only for /dev/kmem and /dev/mem). > Do you have examples of safe use of securechroots to contain practical > applications? http://dictd.xdsl.by dict://dictd.xdsl.by - RFC2229 service for slavic dictionaries dict://dictd.xdsl.by:26280 - pkgsrc pkg_online database (pkgtools/pkg_online-client) The only problem is that I couldn't find an easy way to load modules at boot time like it is provided by Linux's /etc/modules. I implemented home-made rc.d script. -- Best regards, Aleksey Cheusov.
