On Wed, May 29, 2013 at 05:03:05PM +0200, Dag-Erling Smørgrav wrote: > Pawel Jakub Dawidek <p...@freebsd.org> writes: > > AES-NI doesn't have to go through kernel at all and doing so is much > > slower. Not sure if our OpenSSL version already has native AES-NI > > support. If not it would be best to upgrade it. This would fix AES-NI > > at least. Other crypto HW that do need kernel driver would still need > > something here. I wonder if CRIOGET can't be done before setting rlimit. > > The CRIOGET ioctl call happens deep inside OpenSSL. There may be a way > to pre-initialize the AES engine, but the unprivileged child doesn't > know which engine to use until after it's sandboxed.
BTW. At least OpenSSL in HEAD already supports AES-NI natively. > > How does it work on OpenBSD then? > > IIUC, they have sandboxing facilities in the base system and use those > instead of the extremely rudimentary rlimit-based implementation that we > use. They use systrace and from what I see they don't allow ioctl(2) in systrace policy. No idea then how they talk to the kernel crypto framework. > > > > Also what is the exact difference between "sandbox" and "yes" settings? > > > "sandbox" enables sandboxing (no surprise) which in FreeBSD's case means > > > a bunch of rlimit settings. > > I thought that simple "yes" setting does chroot to /var/empty, drops > > privileges to sshd user/group and sets rlimit? I'm trying to figure out > > the difference between those two settings. > > In our case, the only difference is that "sandbox" uses setrlimit() to > prevent the unprivileged child from forking, opening files or appending > to open files. I see. > > > > The reason I ask is because I plan to experiment with OpenSSH > > > > sandboxing to use Capsicum and Casper. > > > You still have the patches I sent you? > > Probably somewhere in my INBOX. If you have them handy can you please > > resend them? > > Attached. Thanks! If we want to protect against compromised child allocating too much resources, we could still leave rlimit to deny fork(2) and creating new descriptors. In capability sandbox one can still allocate descriptors using dup(2), socket(2), socketpair(2), etc. Capability mode doesn't protect against DoS. -- Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com
pgpKY4Zw0r6jU.pgp
Description: PGP signature
