Le 24/07/2016 à 00:52, Alistair Crooks a écrit :
ISTM that your sysretsrict suffers from one of the same drawbacks as pledge/tame/name-du-jour - the restrictions are being burned into the binary at compile/link time.
No. As I said, the userland tool could add or modify the bitmap in the ELF section. Sysrestrict does not require any modification at compile or link time. You could just take the default firefox binary provided on the project servers, and sysrestrictctl would add the section.
That might be fine for system binaries (but some people download distributions from the project servers) that are built locally - what about anything more than the basics, like an apache with loadable modules? How do you specify the modular restrictions? How do we make it so that an apache binary can be successfully have its restriction set "expanded" to allow modules to do their job, when that is what sysretsrict is trying to prevent? I'd be much happier with a variant of seccomp-bpf, or even using lua to do the same job (if it was performant, JIT-enabled and safe to do such a thing, I expect not :(). My main problem is that simply outlawing system calls is a very coarse-grained hammer. I may want a binary to be able to open files for writing in /tmp, but not open any files in /etc for writing. Or reading files in my home directory, except for anything in ~/.ssh or ~/.gnupg. How does sysrestrict cope with this?
It is just impossible to reach the perfect granularity. Even with a JIT engine, we could still demonstrate that we cannot handle the pointer that comes from a copyin, which comes from a copyin, which comes from another copyin. And even if we were trying to implement such a feature, we would end up virtualizing the whole userland->kernel path, and the performance, security and stability impact would be high. The goal of sysrestrict (and pledge, and whatever else) is not to provide the perfect feature that will control absolutely everything. The goal is just to provide an additionnal, simple layer of restriction. It is a combination of such features that can mostly reach the granularity you want. Sysrestrict for syscalls, UNIX file permissions for VFS, kauth for kernel permissions, Veriexec for binary permissions, etc.
