[OpenWrt-Devel] package/utils/busybox: Jail sysntpd

From: Daniel Dickinson <openwrt@daniel.thecshore.com>

Note that not all of procfs sysfs log and ubus may be required for actual
operation, they are just what strace reveals attempting to make accesses.

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
---
 package/utils/busybox/files/sysntpd | 4 ++++
 1 file changed, 4 insertions(+)

adding openwrt-devel

2015-12-17 9:14 GMT+01:00 Etienne Champetier <champetier.etienne@gmail.com>:

> Hi,
>
> 2015-12-16 23:34 GMT+01:00 <openwrt@daniel.thecshore.com>:
>
>> From: Daniel Dickinson <openwrt@daniel.thecshore.com>
>>
>> Note that not all of procfs sysfs log and ubus may be required for actual
>> operation, they are just what strace reveals attempting to make accesses.
>>
>> Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
>> ---
>>  package/utils/busybox/files/sysntpd | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/package/utils/busybox/files/sysntpd
>> b/package/utils/busybox/files/sysntpd
>> index f73bb83..e61c9fc 100755
>> --- a/package/utils/busybox/files/sysntpd
>> +++ b/package/utils/busybox/files/sysntpd
>> @@ -31,7 +31,11 @@ start_service() {
>>         for peer in $server; do
>>                 procd_append_param command -p $peer
>>         done
>> +       touch /var/run/ntpd.pid
>>         procd_set_param respawn
>> +       procd_add_jail sysntpd procfs sysfs log ubus
>> +       procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf
>> /tmp/resolv.conf /etc/hosts /etc/TZ
>> +       procd_add_jail_mount_rw /var/run/ntpd.pid
>>         procd_close_instance
>>  }
>>
>>
> Nice to see people jailing daemon.
> I've added some feature to ujail recently but it lack proper documentation
> https://dev.openwrt.org/changeset/47862/trunk
>
> Keep in mind that root inside the jail is the same as root outside it (we
> don't use user namespace for now),
> so sysntpd is still root and has access to /proc and /sys, so he can do
> lots of things
>
> Can you try to add capabilities restrictions ?
> procd_set_param capabilities <json file>
> for the syntax see
>
> http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0
>
> maybe you can also add
> procd_set_param no_new_privs 1
> which prevent the process to gain new privileges (this disable suid ...)
>
> Etienne
>
>

Hi,

Speaking of jails, is it possible yet to automagically detect the 
dependencies for multiple binaries yet (there is package I've got a pull 
request to add to the packages feed that I haven't jailed because of a 
dependency on another program; if that other program can be included in 
the jail without having to manually figure out library dependencies I'll 
move it as well).

I'll do some additional testing etc with sysntpd to see about narrowing 
it's privileges.

Regards,

Daniel

On 17/12/15 03:14 AM, Etienne Champetier wrote:
> Hi,
>
> 2015-12-16 23:34 GMT+01:00 <openwrt@daniel.thecshore.com
> <mailto:openwrt@daniel.thecshore.com>>:
>
>     From: Daniel Dickinson <openwrt@daniel.thecshore.com
>     <mailto:openwrt@daniel.thecshore.com>>
>
>     Note that not all of procfs sysfs log and ubus may be required for
>     actual
>     operation, they are just what strace reveals attempting to make
>     accesses.
>
>     Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com
>     <mailto:openwrt@daniel.thecshore.com>>
>     ---
>       package/utils/busybox/files/sysntpd | 4 ++++
>       1 file changed, 4 insertions(+)
>
>     diff --git a/package/utils/busybox/files/sysntpd
>     b/package/utils/busybox/files/sysntpd
>     index f73bb83..e61c9fc 100755
>     --- a/package/utils/busybox/files/sysntpd
>     +++ b/package/utils/busybox/files/sysntpd
>     @@ -31,7 +31,11 @@ start_service() {
>              for peer in $server; do
>                      procd_append_param command -p $peer
>              done
>     +       touch /var/run/ntpd.pid
>              procd_set_param respawn
>     +       procd_add_jail sysntpd procfs sysfs log ubus
>     +       procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf
>     /tmp/resolv.conf /etc/hosts /etc/TZ
>     +       procd_add_jail_mount_rw /var/run/ntpd.pid
>              procd_close_instance
>       }
>
>
> Nice to see people jailing daemon.
> I've added some feature to ujail recently but it lack proper documentation
> https://dev.openwrt.org/changeset/47862/trunk
>
> Keep in mind that root inside the jail is the same as root outside it
> (we don't use user namespace for now),
> so sysntpd is still root and has access to /proc and /sys, so he can do
> lots of things
>
> Can you try to add capabilities restrictions ?
> procd_set_param capabilities <json file>
> for the syntax see
> http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0
>
> maybe you can also add
> procd_set_param no_new_privs 1
> which prevent the process to gain new privileges (this disable suid ...)
>
> Etienne
>

Hi,

2015-12-17 9:20 GMT+01:00 Daniel Dickinson <openwrt@daniel.thecshore.com>:

> Hi,
>
> Speaking of jails, is it possible yet to automagically detect the
> dependencies for multiple binaries yet (there is package I've got a pull
> request to add to the packages feed that I haven't jailed because of a
> dependency on another program; if that other program can be included in the
> jail without having to manually figure out library dependencies I'll move
> it as well).
>

yes, i've recently added that, each file that you add to the jail are now
"parsed", if it's an ELF, all needed lib (.so) are added, if it's a script
(#!), the interpreter is added
http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=15ff8b1d09187c11b1331f811cc75b0dd2076827


> I'll do some additional testing etc with sysntpd to see about narrowing
> it's privileges.
>
> Regards,
>
> Daniel
>
> On 17/12/15 03:14 AM, Etienne Champetier wrote:
>
>> Hi,
>>
>> 2015-12-16 23:34 GMT+01:00 <openwrt@daniel.thecshore.com
>> <mailto:openwrt@daniel.thecshore.com>>:
>>
>>     From: Daniel Dickinson <openwrt@daniel.thecshore.com
>>     <mailto:openwrt@daniel.thecshore.com>>
>>
>>     Note that not all of procfs sysfs log and ubus may be required for
>>     actual
>>     operation, they are just what strace reveals attempting to make
>>     accesses.
>>
>>     Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com
>>     <mailto:openwrt@daniel.thecshore.com>>
>>
>>     ---
>>       package/utils/busybox/files/sysntpd | 4 ++++
>>       1 file changed, 4 insertions(+)
>>
>>     diff --git a/package/utils/busybox/files/sysntpd
>>     b/package/utils/busybox/files/sysntpd
>>     index f73bb83..e61c9fc 100755
>>     --- a/package/utils/busybox/files/sysntpd
>>     +++ b/package/utils/busybox/files/sysntpd
>>     @@ -31,7 +31,11 @@ start_service() {
>>              for peer in $server; do
>>                      procd_append_param command -p $peer
>>              done
>>     +       touch /var/run/ntpd.pid
>>              procd_set_param respawn
>>     +       procd_add_jail sysntpd procfs sysfs log ubus
>>     +       procd_add_jail_mount "$HOTPLUG_SCRIPT" /etc/resolv.conf
>>     /tmp/resolv.conf /etc/hosts /etc/TZ
>>     +       procd_add_jail_mount_rw /var/run/ntpd.pid
>>              procd_close_instance
>>       }
>>
>>
>> Nice to see people jailing daemon.
>> I've added some feature to ujail recently but it lack proper documentation
>> https://dev.openwrt.org/changeset/47862/trunk
>>
>> Keep in mind that root inside the jail is the same as root outside it
>> (we don't use user namespace for now),
>> so sysntpd is still root and has access to /proc and /sys, so he can do
>> lots of things
>>
>> Can you try to add capabilities restrictions ?
>> procd_set_param capabilities <json file>
>> for the syntax see
>>
>> http://nbd.name/gitweb.cgi?p=luci2/procd.git;a=commit;h=51201235db9dad9fe1823d9de46ed90f5e160fd0
>>
>> maybe you can also add
>> procd_set_param no_new_privs 1
>> which prevent the process to gain new privileges (this disable suid ...)
>>
>> Etienne
>>
>>