Hi Remco,
On Mon, Oct 05, 2015 at 07:47:26PM +0200, Remco wrote:
> Sebastien Marie wrote:
>
> > Just a remark about "proc" request. It won't allow calling exec(2), but
> > only fork(2) (and some others, see the man page for details).
> >
> > exec(2) is really special for a tamed program: allowing it could permit
> > to defeat the purpose of tame.
> >
>
> I'm trying to understand tame(2) and in my mind the purpose of tame(2) is to
> allow/restrict potentially dangerous operations within a single program. The
> way you describe it, it seems exec(2) is unconditionally disallowed.
It is the case. Currently exec(2) is unconditionally disallowed.
tame(2) is used to whitelist syscalls your program is allowed to use.
You could refer to src/sys/kern/kern_tame.c to get the exact list of
syscalls allowed per requests.
The man page of tame(2) is a good overview too.
> Please correct me if I'm wrong, but I see tame(2) as a means to reduce the
> attack surface of the program it is used in, not as a tool to reduce the
> attack surface of another program it knows nothing about.
I agreed, and I understand tame(2) like that too.
tame(2) reduce the attack surface of the program it is used in. It don't
care about other programs. You could see it as a way to describe the
expected behaviour of a program ("my program will do file reading"), and
the kernel will ensure the actual behaviour is correct ("you want to do
socket ? "Killed").
The problem of exec(2) is if we permit it (without herited tame flags)
your program has a way to go out his expected behaviour. For example, if
a tamed program has a bug that permit execution of code, the attacker
would just has to do "exec(something-else)" to escape the imposed
policy. Without exec(2), the attacker has just a limited subset of
syscalls allowed.
Thanks for your interest.
--
Sebastien Marie
