aboutgitcodebugslistschat
path: root/dhcp.c
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2022-02-07 21:11:37 +0100
committerStefano Brivio <sbrivio@redhat.com>2022-02-21 13:41:13 +0100
commit0515adceaa8f69a1d85ae3c8c550c37dd49b0c47 (patch)
tree6ca9be64f2fa252da4ffdbe4c591778eb06b7b4a /dhcp.c
parentfcc3db78cd5fdf1b02e2339b722512b97998f28f (diff)
downloadpasst-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar
passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar.gz
passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar.bz2
passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar.lz
passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar.xz
passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.tar.zst
passt-0515adceaa8f69a1d85ae3c8c550c37dd49b0c47.zip
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as implemented by --enable-sandbox in slirp4netns, we need to create a new mount namespace and pivot_root() into a new (empty) mountpoint, so that passt and pasta can't access any filesystem resource after initialisation. While at it, also detach IPC, PID (only for passt, to prevent vulnerabilities based on the knowledge of a target PID), and UTS namespaces. With this approach, if we apply the seccomp filters right after the configuration step, the number of allowed syscalls grows further. To prevent this, defer the application of seccomp policies after the initialisation phase, before the main loop, that's where we expect bad things to happen, potentially. This way, we get back to 22 allowed syscalls for passt and 34 for pasta, on x86_64. While at it, move #syscalls notes to specific code paths wherever it conceptually makes sense. We have to open all the file handles we'll ever need before sandboxing: - the packet capture file can only be opened once, drop instance numbers from the default path and use the (pre-sandbox) PID instead - /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection of bound ports in pasta mode, are now opened only once, before sandboxing, and their handles are stored in the execution context - the UNIX domain socket for passt is also bound only once, before sandboxing: to reject clients after the first one, instead of closing the listening socket, keep it open, accept and immediately discard new connection if we already have a valid one Clarify the (unchanged) behaviour for --netns-only in the man page. To actually make passt and pasta processes run in a separate PID namespace, we need to unshare(CLONE_NEWPID) before forking to background (if configured to do so). Introduce a small daemon() implementation, __daemon(), that additionally saves the PID file before forking. While running in foreground, the process itself can't move to a new PID namespace (a process can't change the notion of its own PID): mention that in the man page. For some reason, fork() in a detached PID namespace causes SIGTERM and SIGQUIT to be ignored, even if the handler is still reported as SIG_DFL: add a signal handler that just exits. We can now drop most of the pasta_child_handler() implementation, that took care of terminating all processes running in the same namespace, if pasta started a shell: the shell itself is now the init process in that namespace, and all children will terminate once the init process exits. Issuing 'echo $$' in a detached PID namespace won't return the actual namespace PID as seen from the init namespace: adapt demo and test setup scripts to reflect that. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'dhcp.c')
0 files changed, 0 insertions, 0 deletions