Hi list, I'm working on Capsicum security framework [1] for the FreeBSD Project. While implementing sandbox mode for some applications like tcpdump, we have noticed that sandboxed applications are no longer able to resolve DNS names. This happens because each DNS resolving is done by making a connection to upstream DNS server. So we decided to use lwresd and corresponding library (liblwres) so an application will talk only with lwresd daemon on localhost, and lwresd will upstream DNS query to another server. This worked better, because now an application has to maintain only one opened socket to lwresd daemon, instead of opening new one each time DNS resolving happens. But this also was not enough. We wanted lwresd to use UNIX domain sockets instead of TCP/UDP, this is more effective and secure as long as all communication happens on one host. Another problem is that original liblwres closes socket after each query and recreates it when needed. This is impossible when an application is sandboxed, because sockets cannot be created in this state.
To get rid of these problems, I have modified lwresd, liblwres and also libisc: 1.1) libisc seems to have basic UNIX stream sockets support, but seems it was not finished, because many if() statements only checked if the connection type is TCP or UDP. I have added handling of UNIX *datagram* sockets to all (I hope so) nessesary places. I needed only datagram sockets, not stream, but since UNIX sockets support in libisc seems to be unusable anyway, I decided to change the type of socket that is created if LWRES_ADDRTYPE_UNIXSOCK is requested. 1.2) A socket is not closed after a connection was made and data is received. Instead, its descriptor is saved and used later when making subsequent queries. 1.3) New function lwres_socket_init() that tries to open a connection to lwresd daemon. This function is called by an application just before it enters sandboxed mode. So later, when it makes a DNS query, it reuses existing socket. There are still some problems that I wanted to fix after receiving initial feedback about my patch. 2.1) The library is modified to use UNIX socket _by_default_. As I understand it's better to add a support for reading UNIX socket path from configuration file. Or at least add such command-line option. 2.2) When using UNIX datagram sockets, one should create a "client" socket to receive replies from server (lib/lwres/context.c, near line 349). I wonder where this socket should be closed. What I think is that a context structure should be modified to include client socket descriptor, so we will be able to close it if we don't need it any more. 2.3) Maybe add a config file switch to prevent lwresd from closing communication socket after each use? I.e. make a behaviour described in 1.2 optional. Thank you in advance for reviewing this work, hope you'll find it useful. I'm also CC'ing Robert Watson, Jonathan Anderson and Ben Laurie, who work on Capsicum implementation. [1] http://www.cl.cam.ac.uk/research/security/capsicum/ -- Regards, Ilya Bakulin http://kibab.com xmpp://kibab...@jabber.ru
bind9_unixsock_support.diff
Description: Binary data
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
