The isolate utility [LWN.net]

The isolate utility

Posted Jan 5, 2010 19:27 UTC (Tue) by wahern (subscriber, #37304) [Link]

Linux would benefit from a lot of things, most importantly getting rid of its acute case of NIH syndrome. FreeBSD's kqueue and jail subsystems are two good examples.

It took about seven years for Linux to finally get signalfd, relative to when kqueue debuted. dnotify and inotify!? Perhaps Linux's interfaces are marginally superior, but was it worth the wait and portability hassles? And kqueue still provides features unavailable in Linux.

The same analysis could apply to FreeBSD-style jails, except it looks like SELinux will be the final solution nobody uses. And the reason SELinux sucks is obvious; you can't truly separate policy from function, because they're indivisible in a security-conscious application, yet SELinux makes it very difficult to integrate policy into the development process.

This is why jail(2) and even chroot(2) are so powerful and so much more preferable than all the other convoluted solutions out there.

The isolate utility

Posted Jan 5, 2010 19:43 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]

making that functionality be dependent on SELinux also means that people who want to use a different security module would have to have that module implement the same functionality or loose the capability to do this sort of thing.

this should not be dependent on SELinux any more than namespaces should be eliminated on theory that SELinux can prevent applications from accessing things they shouldn't

The isolate utility

Posted Jan 5, 2010 19:44 UTC (Tue) by dpquigl (subscriber, #52852) [Link]

"...you can't truly separate policy from function, because they're indivisible in a security-conscious application, yet SELinux makes it very difficult to integrate policy into the development process."

Could you elaborate on this a bit? How is policy development difficult to do in parallel with the development process? Is it just that people neglect it and leave it to the end? I really don't see it being a difficult thing that when you're coding your logging code for your application that you also add the necessary policy to make sure that your program can use it and labels the files correctly.

The isolate utility

Posted Jan 5, 2010 21:18 UTC (Tue) by drag (subscriber, #31333) [Link]

SELinux depends on the specific configuration of the server and what you want to do with it. You can give a generic SELinux configuration, which is what Fedora and Redhat do.. but the downside of the trade offs are obvious. (Most people don't care enough to learn how to use it so they just turn it off and for people that leave it running the additional restrictions are not really that good at enhancing security).

But for the government contracts and high-security folks that Redhat (and friends) are targeting then SELinux is worth it since those additional security enhancements are things they can justify the time and expense it takes to get it done correctly for their specific needs.

All in all his post is a bit bizarre. BSD Jails is not really comparable with SELinux except to state that they are both designed to protect the system from buggy services. Other then that simularities end. Does BSD Jails provide Mandatory access controls? Role based controls? Multi level Security? No of course not. So it's a nonsensical comparison. If he wants to complain he can point out differences in how Jails work versus LXC and how traditional containers for Linux (Linux-vserver/openvz) required lots of patching and other things. Then he can go on and complain about how Solaris is using their own container virtualization and not using Jails and then complain about it with OS X and then with Windows.

That is something that would probably make sense here. But then it would be pretty simple to poke holes in it.

The reality is that if you want BSD-Jail like functionality in Linux you can have it. Easily. I've been able to get it by using 'apt-get' in Debian for probably most of the last decade (or more). People have been using stuff like that for web hosting for years and years now. Of course with LXC it's now built into the kernel and is generic enough to be used by lots of different things for different purposes.

Maybe somebody should point out the effort to get SELinux ported to FreeBSD... Wait; TrustedBSD there you go. If the FreeBSD-Jail was the all-singing and all-dancing solution to everything then why would anybody care to use anything else?

And, from a security stand point, Chroot is very bad. The worst thing about it is that administrators/developers end up trusting it to do stuff it never was intended to do.. like securing your BIND server and stuff like that. It can be done, but it's actually really difficult to do correctly since it is so fragile.

The isolate utility

Posted Jan 7, 2010 10:58 UTC (Thu) by trasz (guest, #45786) [Link]

It's worth noting that everything you mentioned - various kinds of MAC policies - are already available in FreeBSD; the main difference compared to SELinux is that the FreeBSD implementation is modular, simple to understand and to maintain. That's the reason that porting SELinux to FreeBSD is stalled, I guess.

The isolate utility

Posted Jan 7, 2010 15:13 UTC (Thu) by drag (subscriber, #31333) [Link]

The only mention of MAC stuff in FreeBSD's documentation is this
'TrustedBSD' stuff

http://www.freebsd.org/doc/en/books/arch-handbook/mac.html

Which is the port of Flask/SELinux from Linux to Darwin to FreeBSD.

What am I missing here?

----------------

Also the above people mis characterized SELinux as being the 'one true
framework' or whatever. There is, of course, SMACK (in since 2.6.25) and
Tomoyo, which is in since 2.6.30. Both of which are designed to be much
simpler for administrators and such to deal with.

Redhat and Fedora, of course, still focus on SeLinux, of course. Probably
because it's the most full featured solution so far and they want to meet
the requirements for a certain subset of Redhat's customers.

The isolate utility

Posted Jan 7, 2010 21:21 UTC (Thu) by martinko (guest, #62862) [Link]

MAC is no Flask/SELinux -- please read better!

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook...

Also you may want to educate yourself what really TrustedBSD is and about it's affiliation with FreebBSD.

;-)

The isolate utility

Posted Jan 18, 2010 11:26 UTC (Mon) by trasz (guest, #45786) [Link]

FreeBSD MAC, implemented as part of TrustedBSD and ported to Darwin/MacOS X,, is not a port of SELinux - it's a MAC framework and a set of modules implementing policies. Port of SELinux would be just another policy module.

The isolate utility

Posted Jan 7, 2010 21:10 UTC (Thu) by dpquigl (subscriber, #52852) [Link]

SELinux was already ported to BSD in the form of SE-BSD which is where the MAC framework that BSD currently enjoys came from. The issue with having the SE-BSD code in the core BSD code is because of licensing issues. Some of the code needed from SELinux for SEBSD is GPL licensed which prevents it from being incorporated into the areas of FreeBSD where it is needed. I haven't looked into this very much but when considering reviving the SEBSD code for use with a BSD Labeled NFS prototype I was told the stumbling block for getting SEBSD integrated into the BSD core was to do with the license on the code.

The isolate utility

Posted Jan 18, 2010 11:31 UTC (Mon) by trasz (guest, #45786) [Link]

Again, not true. Port of SELinux would be just another policy enforcement module. Existing policies work fine without it - and they have an advantage of being simple to understand.

The isolate utility

Posted Jan 7, 2010 21:15 UTC (Thu) by dpquigl (subscriber, #52852) [Link]

Also another thing worth noting is none of the MAC modules in BSD are considered "production ready". I was looking at using the MLS module to showcase label translation in Labeled NFS and when I spoke with Robert Watson (MAC Framework/SEBSD developer) he said that the MLS implementation isn't very full featured and it is there as an example for vendors to take and extend into a more full featured implementation. Also not until FreeBSD 8.0 was the MAC framework enabled in their kernel by default. It was present in the source tree but from what I understand you needed to rebuild your kernel to enable it (mainly due to overhead concerns).

The isolate utility

Posted Jan 7, 2010 21:34 UTC (Thu) by dpquigl (subscriber, #52852) [Link]

I should probably rephrase this. The MLS and Biba modules weren't adequate for use without further enhancements. I didn't realize there were so many BSD MAC modules so some of them are probably production ready.

The isolate utility

Posted Jan 8, 2010 0:02 UTC (Fri) by drag (subscriber, #31333) [Link]

I guess it's like Linux were you have the pluggable security module
framework were Selinux is just one of many possible frameworks.

It'll be interesting to see what evolves out of this approach.

The isolate utility

Posted Jan 8, 2010 0:43 UTC (Fri) by dpquigl (subscriber, #52852) [Link]

They model is different than the LSM. Historically the LSM framework has been anti stacking and for some pretty good reasons. The BSD framework has every model as a separate module that can be loaded in. They have quite a few modules for a variety of functions. They have one MLS module, two integrity modules, a module to place programs in selective jail like separations called partitions, a module to protect ports, some modules for disabling network access and "firewalling" the file system. The soundness of some of the models are up for debate but they are there none the less.

The isolate utility

Posted Jan 18, 2010 11:29 UTC (Mon) by trasz (guest, #45786) [Link]

When was that, exactly? Among several things that happened in FreeBSD last year was inclusion of MAC in the default kernel and removing the "experimental" status.

The isolate utility

Posted Jan 6, 2010 0:25 UTC (Wed) by wahern (subscriber, #37304) [Link]

It's difficult because it's an ad hoc process. To sandbox a daemon under unix all that need be done is chroot(path) + chdir(".") + setuid(nonrootuid). That's all in C, and generally called from the main function (my argument is for chroot(2), not for isolate(1) or chroot(1)). There are caveats, and it's no panacea, but it's straight-forward, and the user/sysadmin never need get involved. The only issue is how to make sure `path' exists. FreeBSD jail(2), which is more comprehensive, is similarly simple.

To sandbox with SELinux I do... what? To install the SELinux policies I do... what? No pithy code snippet will come close to answering that. And SELinux isn't even installed by default on Ubuntu and most other Linux distributions, not to mention other unices. Leveraging SELinux from the application perspective is difficult and clumsy. You need to create a shell scripting ecosystem to support your application. Same applies to LXC or anything similar.

RedHat might ship with default policies for Apache and BIND and similar software, but it certainly won't ship for 99% of the available applications on Freshmeat. It's nonsense to think that any single group is capable of reliably and efficiently patching, effectively, all the software out there. I say patching because though SELinux policies are text files they're nonetheless code. And that is why I say policy is indivisible from function. It's a distinction without a difference from a security perspective. They're both code.

Now, SELinux is useful in general for exactly the same reason. It allows the end-user or distributor to patch together an application by adding new code without modifying existing code. Effectively you can build custom applications, the same way a company might fork an open source project and tweak it for, say, an embedded Samba device. You can hack Samba directly and/or create SELinux policies. Yet you run into all the same problems as when you have two different groups hacking on the same software. Most prominently the maintainers of the policy end inevitably fall behind the release schedule of the main release, get tired of the treadmill, and the whole endeavor withers.

As for logging, my applications do what any good unix applications do; they log to stderr. I provide example documentation and code for attaching stderr to syslog(1) or rotatelogs(1), and my applications also make this very easy to do as a builtin operation (e.g. foo -e "|rotatelogs /var/log/foo-%Y%m%d.log"), which makes it a tad more convenient. Yes, that is in a sense leaving policy to the end-user, but the difference is that (1) I'm well aware that log processing is an application in its own right; and (2) no matter where you point stderr the daemon itself runs as securely as possible out-of-the-box. Why would I leave security up to the end-user or distributor? Who but the developer best knows how to secure his own code?

SELinux works well as an adjunct, but minimally any portable application _must_ use chroot(2). Even if something could replace chroot(2) tomorrow I'd prefer FreeBSD style jail(2) than a convoluted system that doesn't offer the possibility for a small code block in main() to provide decent sandboxing, instead requiring a haphazard process among various users--developer, distributor, admin. Theory is great, but a good solution must work in practice, and manifestly SELinux isn't a practical solution.

(I also tend to pervasively use descriptor passing between privileged and unprivileged processes. Much like chroot it's portable and, used properly, matches the security of most any other solution, and does so out-of-the-box.)

The isolate utility

Posted Jan 6, 2010 2:21 UTC (Wed) by gmaxwell (subscriber, #30048) [Link]

"To sandbox with SELinux I do... what?"

To sandbox? You use dan walsh's sandbox (http://danwalsh.livejournal.com/31146.html) it was linked in the very first comment here.

Yes, SELinux is complicated. It's much more expressive than chroot()+chdir(), and so it's possible to lock things in a much more find grained and secure way. The tradeoff is the complexity. Thats where tools like sandbox step in.

The isolate utility

Posted Jan 6, 2010 3:34 UTC (Wed) by wahern (subscriber, #37304) [Link]

Nice... for some limited set of apps, particularly desktop apps. Especially since it's more reasonable to expect desktop apps to be less portable than server apps. But I write server-side apps. Not only is this not especially useful on Linux servers, I still need to do sandboxing _inside_ my application both for portability, and because I still need privileges temporarily to setup my environment, such as open sockets. There're several app-specific privileged operations daemons typically need to do.

sandbox(1) uses a setuid utility. Anything which requires a setuid utility is already a red flag in my book. And such wrappers are inherently limited, anyhow.

These aren't generic solutions. They're interesting, useful, and laudable pieces of software, to be sure. But come on.... None of these things can even come close to the usefulness that traditional, portable unix privilege separation can accomplish. chroot, setuid, descriptor passing... these things are here now, ubiquitous, and time tested. Use them, developers. Security can't be an after-thought, bolted on, acceptable merely because it's described as a "security tool". The techniques needs to be tightly woven into the fabric of the code. (Alan Cox assertions are flat wrong; merely because chroot wasn't intended as a security tool doesn't mean it's not useful as such. Logic and history plainly prove him wrong, except that I personally think people take his quotes out of context anyhow.) Applications which don't do this need to be _fixed_, not amended. Additional steps, such as SELinux, VMs, etc, should be additive, not ends in themselves.

One nice thing about isolate(1) is that it uses a random UID. The code is awkward in places (I'd have just done `setuid(arc4random() | 0x80000000)', rather than a wierd loop, and anything w/ setuid mode is suspect, especially w/ all those machinations), but quite portable in theory, especially if Mach-O support could be added. And yet, at least for daemon apps, you can accomplish the same thing in about 10 lines of code if built into your app, w/o any dependencies. Sandboxing desktop apps involves special difficulties, but other than X11 and needing root privileges for chroot (I really wish systrace was built into the Linux kernel), all the same techniques apply equally well.

The isolate utility

Posted Jan 6, 2010 5:45 UTC (Wed) by drag (subscriber, #31333) [Link]

Alax Cox's comments refer to why the fact that when people show up on the
LKML and bring up one of the obvious and blaring security defects with
Linux's Chroot implementation (and hope to see these 'problems' fixed) they
get ignored or shot down.

The isolate utility

Posted Jan 6, 2010 6:16 UTC (Wed) by drag (subscriber, #31333) [Link]

Oh and he never said it was not useful. It's just that if the program has
root privileges then chroot is worthless. If you do it properly with
carefully controlled file discripters and proper setuid and that sort of
thing chroot can be useful, it's just much more difficult to get right then
it seems.

In that specific mailing list discussion people are referring to is
http://kerneltrap.org/mailarchive/linux-kernel/2007/9/19/...

----

Meanwhile with things like BSD Jails, Linux LXC, or Solaris Zones are
designed to be easy for admins to make applications isolated in a proper
manner and can be used with lots of applications that would never really work
out with chroot.