OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
tame(2) WIP
Contributed by tbert on Sun Jul 19 00:07:21 2015 (GMT)
from the taming-the-beast dept.

Theo de Raadt (deraadt@) has pulled back the curtain on his entry into the process sandboxing contest:

I have been working for a while on a subsystem to restrict programs
into a "reduced feature operating model".

Other people have made such systems in the past, but I have never been
happy with them.  I don't think I am alone.

Generally there are two models of operation.  The first model requires
a major rewrite of application software for effective use
(ie. capsicum).  The other model in common use lacks granularity, and
allows or denies an operation throughout the entire lifetime of a
process.  As a result, they lack differentiation between program
"initialization" versus "main servicing loop".  systrace had the same
problem.  My observation is that programs need a large variety of
calls during initialization, but few in their main loops.

Some BPF-style approaches have showed up.  So you need to write a
program to observe your program, to keep things secure?  That is
insane.

So I asked myself if I could invent a simple system call, which people
would place directly into programs, between initialization and
main-loop.

Secondly, I wondered what kind of semantics such programs would need.
Not just directly themselves, but for DNS and other macro operations.

Anyways, enough explanation.  A manual page follows.

Then the kernel diff.

Finally, a sample of 29 userland programs protected to various
degrees by using it:
    cat pax ps dmesg ping ping6 dc diff finger from id kdump
    logger script sed signify uniq w wc whois arp authpf bgpd
    httpd ntpd relayd syslogd tcpdump traceroute

Not all these are perfect, but it shows the trend.  The changes
are fairly simple.  In the simplest non-network programs, network
access is disabled.  In simple network programs, file access goes
away.  That is the trend.

Sometimes a program is easily modified, making it better, because
the integration of tame hints at an improvement which will make it
tighter under tame.  sed is an example...

The full email, as stated, contains the man page and the diff to make this happen. For those of us wanting an easily-retrofitted way of sandboxing applications, this looks like a huge step forward.

[topicsecurity]

<< Sudo Replacement Hits the Tree | Reply | Flattened | Collapsed | EuroBSDCon 2015 Registration Is Open >>

Threshold: Help

Related Links
more by tbert


  Re: tame(2) WIP (mod 4/92)
by Anonymous Coward (2601:186:4180:61:3dfd:e87d:219e:c2bc) on Sun Jul 19 15:21:14 2015 (GMT)
 
I really like the concept behind tame(2).

If I understand it correctly... It allows the developer of the application to inform the operating system about the expected behavior of the program as the program moves along its execution timeline.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: tame(2) WIP (mod 2/78)
by Anonymous Coward (199.185.178.4) on Sun Jul 19 15:54:05 2015 (GMT)
  >
> I really like the concept behind tame(2).
>
> If I understand it correctly... It allows the developer of the application to inform the operating system about the expected behavior of the program as the program moves along its execution timeline.
>
>

Correct. In addition to that, if the process deviates from the expected behaviour it gets terminated.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: tame(2) WIP (mod 6/76)
by Anonymous Coward (38.99.63.178) on Mon Jul 20 20:21:53 2015 (GMT)
  >
> I really like the concept behind tame(2).
>
> If I understand it correctly... It allows the developer of the application to inform the operating system about the expected behavior of the program as the program moves along its execution timeline.
>
>

It's basically a much saner version of Linux capabilities, for all that implies, both good and bad.

I just hope this doesn't mean that OpenBSD will swear-off Capsicum. Linux just got a primitive for implementing Capsicum's pdfork and pdwait. It would be awesome if that became more portable beyond FreeBSD and Linux. But of course that stuff doesn't implement itself, so until a patch is rejected I only have myself to complain to.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: tame(2) WIP (mod 0/70)
by Amit Kulkarni (72.219.53.105) on Wed Jul 22 13:18:00 2015 (GMT)
  > >
> > I really like the concept behind tame(2).
> >
> > If I understand it correctly... It allows the developer of the application to inform the operating system about the expected behavior of the program as the program moves along its execution timeline.
> >
> >
>
> It's basically a much saner version of Linux capabilities, for all that implies, both good and bad.
>
> I just hope this doesn't mean that OpenBSD will swear-off Capsicum. Linux just got a primitive for implementing Capsicum's pdfork and pdwait. It would be awesome if that became more portable beyond FreeBSD and Linux. But of course that stuff doesn't implement itself, so until a patch is rejected I only have myself to complain to.
>
>


Reading the diffs, I think tame is a continuing enhancement of privilege separation. Theo hints at it, right there in his email: initial start-up needs lots of permissions, afterwards not so much.

I am not a kernel hacker at all, but in the best possible case, I suspect that over time, privilege separation can be replaced by tame in the OpenBSD tree. Because by trial and error, the devs will come to understand what the individual daemons will want the right set of permissions to satisfy all the functionality, and specify for it at start-up. Start as root and then reduce functionality. This will enhance the readability of the kernel code.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

           
Re: tame(2) WIP (mod 6/76)
by Anonymous Coward (38.99.63.178) on Wed Jul 22 23:53:59 2015 (GMT)
  <snip>
> I am not a kernel hacker at all, but in the best possible case, I suspect that over time, privilege separation can be replaced by tame in the OpenBSD tree.

Tame could never do that. Privilege separation isn't merely concerned with the privilege of executing a certain system call. There are an endless number of application-specific, context-specific "privileges". For example, the private key used to authenticate TLS sessions. In OpenSMTPd this key is kept in a separate process. The privilege in this case is the privilege of the signing operation, much narrower than the privilege of having read access to the key. Tame could never protect that key in such a manner, nor could seccomp or Capsicum, for that matter.

With something like Capsicum, you don't need to block the kill call, or worry at what moment in the process lifetime the kill call might be invoked. Instead, you have permission to send a signal to a process _only_ by dint of having been _explicitly_ passed the process descriptor (not PID), which cannot be counterfeit. That's a much more powerful tool to augment the task of implementing fine-grained, application-specific privilege separation. But as Theo noted, such techniques in general, and Capsicum in particular, require significant refactoring of existing code, and careful design of new code.

Tame is much more practical. I would hope it wouldn't become a crutch to avoid implementing proper privilege separation. I certainly doubt that was Theo's intention.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

             
Re: tame(2) WIP (mod 3/75)
by Amit Kulkarni (10.11.131.113) on Thu Jul 23 14:32:10 2015 (GMT)
  > <snip>
> > I am not a kernel hacker at all, but in the best possible case, I suspect that over time, privilege separation can be replaced by tame in the OpenBSD tree.
>
> Tame could never do that. Privilege separation isn't merely concerned with the privilege of executing a certain system call. There are an endless number of application-specific, context-specific "privileges". For example, the private key used to authenticate TLS sessions. In OpenSMTPd this key is kept in a separate process. The privilege in this case is the privilege of the signing operation, much narrower than the privilege of having read access to the key. Tame could never protect that key in such a manner, nor could seccomp or Capsicum, for that matter.
>
> With something like Capsicum, you don't need to block the kill call, or worry at what moment in the process lifetime the kill call might be invoked. Instead, you have permission to send a signal to a process _only_ by dint of having been _explicitly_ passed the process descriptor (not PID), which cannot be counterfeit. That's a much more powerful tool to augment the task of implementing fine-grained, application-specific privilege separation. But as Theo noted, such techniques in general, and Capsicum in particular, require significant refactoring of existing code, and careful design of new code.
>
> Tame is much more practical. I would hope it wouldn't become a crutch to avoid implementing proper privilege separation. I certainly doubt that was Theo's intention.
>

Thanks for clarifying!

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: tame(2) WIP (mod 2/78)
by Noryungi (noryungi) on Tue Jul 21 08:49:17 2015 (GMT)
  The comment above is spam.

I think that is the very first spam of this kind I see on this site.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

         
Re: tame(2) WIP (mod 2/68)
by tbert (tbert) on Tue Jul 21 20:10:56 2015 (GMT)
  > The comment above is spam.
>
> I think that is the very first spam of this kind I see on this site.
>
>

fix't
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

       
Re: tame(2) WIP (mod 3/73)
by Fredrik Ludl (217.208.148.2) (fredrik@ludl.se) on Tue Jul 21 20:18:32 2015 (GMT)
 
That is a big task, but maybe programs that can not have a predictable behavior shall not be considered as well written software.
So the system itself is a quality enhancer to software.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: tame(2) WIP (mod 7/83)
by Just Another OpenBSD User (87.126.197.32) on Thu Jul 23 00:54:34 2015 (GMT)
  Finally, at the right time wonderful solutions to real world problems are happening as usual in the OpenBSD space first.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: tame(2) WIP (mod 3/79)
by Salina E. (185.2.190.31) on Sun May 15 02:16:40 2016 (GMT)
  Does the id still matter in your newly created call? Salina, how to hack clash royale.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: tame(2) WIP (mod 2/74)
by robertss (98.126.3.26) on Sat Aug 13 03:59:53 2016 (GMT)
  Moncler new accoutrement is traveling to be Moncler Jackets Outlet hottest progression accretion on the acclivity encompassing the a lot of recent, exclusive, and rather trendy. Denoting vogue, air-conditioned Moncler down jackets from Moncler can acclimate the personality of the man in algid winter season, abounding travelers would not put on blubbery coats, in accretion to covering up the able body, it is not able to ability their style. But you apperceive casting from France, blowing Moncler jacket, you are able to in cheap moncler outlet actuality abate these complaints Moncler anorak can lath you with mild and charming.Make with it. They adeptness of not anemic to acclimation 3 all-important categories of the a lot of people. These are Males, Girls and Boyish children. brash abundantly Moncler Outlet and checky acclimation of jackets for boyish kids. Aural this Moncler Kids moncler bazaar artificial as mentioned in his / her eyes that every abandoned who get yourself a anorak and today admission a band-aid for their collection. Assuredly a absoluteness obviously! A acclimation of accouchement and teenagers for the affiliation admission http://www.monclerjacketsoutletvip.co.uk credible their candied anorak aural the accumulating this activity is producing.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: tame(2) WIP (mod 4/70)
by &#1575;&#1604;&#1593;&#1575;&#1576; (66.85.185.78) (ztmayto4o@moakt.ws) on Mon Aug 22 11:28:30 2016 (GMT)
&#1576;&#1606;&#1575;&#1578;
  إن ألعاب الفلاش تعرف تطورا كبيرا، خصوصا في مجال الجرافيك والأداء، لقد أصبح الإهتمام بهندسة الصورة من الأولويات، إضافة إلى البحث عن الإمتاع في اللعبة، وهذا ما ستلمسه في لعبة خرجت سنة 2016 وهي لعبة الدبابة المدمرة، إحدى روائع موقع العاب سيارات الحربية. العاب سيارات لعب العاب سيارات 2017 al3ab العاب تلبيس بنات العاب باربي العاب فلاش العاب عربيات
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: tame(2) WIP (mod 0/76)
by jeuxbanat (178.62.31.125) (admin@al3ab.com) on Fri Aug 26 22:52:29 2016 (GMT)
  محبى العاب بنات نقدم لكم اللعبة المميزة وهى لعبة سير استيل المميزة والتى تمكنك من تلبيس بنات بطريقة الشير المميزة والرائعة والجذابة
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: tame(2) WIP (mod -2/40)
by mxffiles (218.11.237.74) on Tue Feb 7 05:28:06 2017 (GMT)
  This is a very good post which I really enjoy reading. It is not every day that I have the possibility to see something like this. Software mxf Software mxf converter free download to convert HD camcorder files. ts converter convert ts video files to avi, mp4, wmv, mov mts to avi mp4 mov mkv iMovie, FCP/FCE with mts converter, so to convert mts files for your PC and mobiles. mod converter and convert tod files just free download mod video converter.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: tame(2) WIP (mod 3/35)
by Jan (104.143.23.24) (laura8drake@gmail.com) on Fri Mar 24 10:06:16 2017 (GMT)
  Appreciate discussing. This particular service https://academic-writing.help/ were built with a broader affect on the region useful than suggested on your part. Statistic analyses implies that their professional services are utilized all across the globe. They are concerned about each client too, collecting feedback on the caliber of the work they do and received advantages of clients.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: tame(2) WIP (mod 0/0)
by Felicity KeFith (keFith520) (zlgigr114@sina.com) on Tue May 30 01:22:39 2017 (GMT)
  You, have a small or average penis ? Feel ashamed? Try to avoid sexual encounters? How to Make Your Penis Bigger
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: tame(2) WIP (mod 0/0)
by Felicity KeFith (keFith520) (zlgigr114@sina.com) on Tue May 30 06:43:37 2017 (GMT)
  Since you're now preparing to take a crack at conversing an arousing manner, allow yourself to unwind a small amount. It's a special occasion so, take a deep breath and just let which come out of your mouth. Avoid using clinical agreement. It might be a choice to learn some common talk something dirty beforehand, so, among other things, you could consider reading an erotic novel to get yourself a few scenarios. Trusty me, all females have a naughty quality - you, too! So, start talking dirty right now to unveil this side people to your guy!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]