Also to note: Something about this change causes a kernel panic under heavy load (poudriere running 20 jobs with poudriere configured to use tmpfs for the entire job).
Screenshot of kernel panic: https://photos.app.goo.gl/dXBpW7sbn1iWQaJj9 On Sun, Jan 17, 2021 at 01:03:25AM +0100, Mariusz Zaborski wrote: > Thank you for raising your concerns. We discussed that, and for now, > we will disable sandboxing in the cat. We will try to measure where > the bottlenecks are and try to address them. > > We should try to sandbox even as simple tools like cat or tail, but not for > any > cost. If we have a high cost, we may explore other ways of doing it. > > On Sat, 16 Jan 2021 at 16:10, Cy Schubert <cy.schub...@cschubert.com> wrote: > > > > In message <202101161448.10gemui4095...@mail.karels.net>, Mike Karels > > writes: > > > Mateusz wrote: > > > > I have to strongly disagree with this change. > > > > > > > truss -f cat /etc/motd immediately reveals most peculiar overhead > > > > which comes with it. > > > > > > > Some examples: > > > > - pdfork is called 3 times and fork 1 time, spawning 4 processes in > > > > total > > > > - the file is opened twice: > > > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) = 5 (0x5) > > > > 5548: cap_rights_limit(5,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0) > > > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) = 7 (0x7) > > > > 5548: cap_rights_limit(7,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0) > > > > - there is an enormous number of sendto/recvfrom instead of everything > > > > happening in just one go > > > > > > > Key points: > > > > - the functionality provided by casper definitely induces way more > > > > overhead than it should. > > > > - regardless of the above, I find patching tools like tail and cat in > > > > this manner to be highly questionable. Ultimately whatever security > > > > may or may not have been gained it always have to be gauged against > > > > actual impact and it does not look it is worth it in this case. > > > > > > > Even if someone was to put cat in capability mode, for something as > > > > trivial a opening one file, cat could just do it without all the other > > > > overhead and then enter the sandbox. > > > > > > > That said, I think this change (and possibly similar changes to other > > > > tooling) should be reverted. Regardless of what happens here, casper > > > > needs a lot of work before it is deemed usable. > > > > > > > My $0,03. > > > > > > I also question this change. Using capsicum makes sense for something > > > like tcpdump, which usually runs as root, uses privileged facilities, > > > > tcpdump can drop its privileges. Various Linux distros and vendors do this. > > I have a patch in my tree that will do this. > > > > > and interprets external data that could potentially subvert it in the > > > worst case. It also has a fairly high startup cost that can be amortized > > > over its runtime. Cat is nothing like this, so I wonder what the > > > motivation > > > was for the change. It's not obvious to me that there is any significant > > > value in capsicumizing, and there are obviously significant costs. > > > > Agreed. > > > > > > > > Mike > > > > > > -- > > Cheers, > > Cy Schubert <cy.schub...@cschubert.com> > > FreeBSD UNIX: <c...@freebsd.org> Web: https://FreeBSD.org > > NTP: <c...@nwtime.org> Web: https://nwtime.org > > > > The need of the many outweighs the greed of the few. > > > > > > > > > > > On 1/15/21, Mariusz Zaborski <osho...@freebsd.org> wrote: > > > > > The branch main has been updated by oshogbo: > > > > > > > > > > URL: > > > > > https://cgit.FreeBSD.org/src/commit/?id=aefe30c5437159a5399bdbc1974d6fbf4 > > > 0f2ba0f > > > > > > > > > > commit aefe30c5437159a5399bdbc1974d6fbf40f2ba0f > > > > > Author: Mariusz Zaborski <osho...@freebsd.org> > > > > > AuthorDate: 2021-01-15 20:22:29 +0000 > > > > > Commit: Mariusz Zaborski <osho...@freebsd.org> > > > > > CommitDate: 2021-01-15 20:23:42 +0000 > > > > > > > > > > cat: capsicumize it > > > > > > > > > > Reviewed by: markj, arichardson > > > > > Differential Revision: https://reviews.freebsd.org/D28083 > > > <snip> > > > > > > > > > > > _______________________________________________ > dev-commits-src-all@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all > To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org" -- Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature
