Table of Contents

Back to igraltist's experiences/JAIL

run-jail

Iam using my own tool to manage the RSBAC JAIL.

See the mericurial repository.

Prepearation

Three important necessary preparations are have to be done.

Installation

You can checkout it via mercurial and install it with

hg checkout http://hg.kasten-edv.de/rsbac-tools

or downloaded with the webbrowser. Then run:

python setup.py install

No more futher system modification are nessessary.

Syntax for jail configuration file

All jail configuration files are place in directory '/etc/rsbac/jail'.

Now a python script offer to write a new empty jail definition.
Maybe the name will change in future from this script to create-jail-config.
Just call:

create-jail -c my_config

Or the old way be copy paste:
Probably the best way to develop a new jail definition file is to start with an empty file like:

;
; Empty JAIL definition file
; 20060425
;
 
""
"0.0.0.0"
()
()
()
()

And then to try to start the program. After this attempt, check the security log file (/security/log/security-log) for entries related to the program you just started. Edit the JAIL definition accordingly. And try again. Known issues

The file format is fixed. The order in which the elements are expected is fixed too. In other words, the quotes and parentheses must be used. Trying to load a file with a different format or will result in a read exception.

A JAIL file consists of six elements. These must appear in the file in the order in which they are specified here. And they must have the correct type. Comments can be added anywhere, they start with a semi-colon (;) and end at the end of the line. The JAIL file elements are:

To learn how to interpret the log messages to develop a jail policy see explain-jail-message.

Explainaton of the syntax

The jail configuration file is split in six categories.

  1. “” chroot path
  2. “0.0.0.0” IP addresss
  3. () Jail flags
  4. () Jail capabilities
  5. () read System Control Data
  6. () modify System Control Data


All jail parameters below based on rsbac 1.4.5.

1. This string specifies the optional chroot path. Since it is a string, it must be enclosed in double quotes (i.e. “). The empty string (i.e. ““) should be used when no chroot should be performed.

2. It is possible to use “interface”, “ip-address” or “”

Description
“interface”The interface it must be a valid name something line eth0. If interface is used, then is taken the ip-address from /sbin/ifconfig interface.
“ip-address”When the ip-address is be used it must be a valid the ip-address. If the ip-address not associated with an interface, then rsbac-jail throws an exception.
““If an empty string is given is set it to 0.0.0.0 and this means ignore IP.


3. Each JAIL has a number of rights which can be configured when the JAIL is created.

jail flagsExplanationRSBAC cmdline
auto-adjust-ip-addressAutomatically adjust the INET any address 0.0.0.0 to the jail address, if set.-a
allow-all-net-familyAllow all network families, not only IPv4.-n
allow-dev-get-statusAllow GET_STATUS_DATA requests on devices.-e
allow-dev-mod-systemAllow MODIFY_SYSTEM_DATA requests.-E
allow-dev-readAllow read access on devices.-d
allow-dev-writeAllow write access on devices.-D
allow-external-ipcAllow access to IPC and UNIX domain sockets outside this jail.-i
allow-inet-localhostAdditionally allow to/from remote IPv4 localhost, that is, address 127.0.0.1-o
allow-inet-rawAllow IPv4 raw sockets (e.g. for ping and traceroute)-r
allow-ipc-parentAllow access to the parent jail.-P
allow-ipc-syslogAllow to use the char device from syslog-y
allow-mountAllow mount/umount devices-u
allow-netlinkAllow NETLINK as network family-K
allow-suidAllow setuid-s
allow-tty-openAllow to open tty devices.-t
private-namespaceProcess to include into private names pace.-N
this-is-syslogNeeding if the jail is for syslog daemon-Y
virtual-userUse virtual user set.-V
verboseVerbose output-v


4. Allow to configure jail capabilities.

jail capabilitiesExplanationRSBAC cmdline
audit-controlTo be written.AUDIT_CONTROL
audit-writeTo be written.AUDIT_WRITE
chownTo be written.CHOWN
dac-overrideTo be written.DAC_OVERRIDE
dac-read-searchTo be written.DAC_READ_SEARCH
fownerTo be written.FOWNER
fsetidTo be written.FSETID
ipc-lockTo be written.IPC_LOCK
ipc-ownerTo be written.IPC_OWNER
killTo be written.KILL
leaseTo be written.LEASE
linux-immutableTo be written.LINUX_IMMUTABLE
mknodTo be written.MKNODE
net-adminTo be written.NET_ADMIN
net-bind-service Allow to bind a service to a privileged port.NET_BIND_SERVICE
net-broadcastTo be written.NET_BROADCAST
net-rawTo be written.NET_RAW
setgidTo be written.SETGID
setuidTo be written.SETUID
setfcapTo be written.SETFCAP
setpcapTo be written.SETPCAP
sys-adminTo be written.SYS_ADMIN
sys-bootTo be written.SYS_BOOT
sys-chrootTo be written.SYS_CHROOT
sys-moduleTo be written.SYS_MODULE
sys-niceTo be written.SYS_NICE
sys-rawioTo be written.SYS_RAWIO
sys-pacctTo be written.SYS_PACCT
sys-ptraceTo be written.SYS_PTRACE
sys-resourceTo be written.SYS_RESOURCE
sys-timeTo be written.SYS_TIME
sys-tty-configTo be written.SYS_TTY_CONFIG


5. SCD is short for System Control Data. Each SCD target refers to a global system object, such as the system clock, the packet filter rules, the hostname, etc. These objects can be protected too by RSBAC by setting access rights to their corresponding SCD targets. Adding an SCD target to this list will grant read permissions. E.g. if you add clock to the list, the program is allowed to read the system clock.

jail scdExplanationRSBAC cmdline
capabilityChange Linux capabilitiescapability
clockSystem time and dateclock
firewallFirewall settings, packet filter etc.firewall
host-idHost namehost_id
ioportsAccess Control for direct hardware accessioports
kexecTo be written.kexec
kmemDirect access to kernel memory via proc or devicekmem
ksymsKernel symbolsksyms
mlockMemory lockingmlock
net-idDomain namenet_id
networkTo be written.network
nfsdKernel NFS server administrationnfsd
otherAny other SCD not specified separatelyother
prioritySet scheduler priority (nice value)priority
rlimitSetting process ressource limitsrlimit
rsbacRSBAC data in /procrsbac
rsbac-logRSBAC own logrsbac-log
rsbac-remote-logSettings for RSBAC remote loggingrsbac_remote_log
sysctlAdministrate through sysctlsysctl
sysfsAdministrate through sysfssysfs
syslogSystem logsyslog
swapControl of swappingswap
time-strucsSystem timertime_strucs
quotaQuota administrationquota
videomemAllow direct access to video memoryvideomem


6. The same as the one above on point 5., except that modify rights are granted instead of read rights.


A fully working example :

;
; RSBAC JAIL definition for apache
; 20060419
;
; Tested by:
; Fuleki Miklos (RAk)
; Peter Busser (peter)
;
 
""
"0.0.0.0"
(allow-dev-read
 allow-dev-write
 allow-external-ipc)
(setgid
 setuid
 net-bind-service
 kill)
(sysctl)
(rlimit)

The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability).Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits.

Usage

You can run it on command line

  usage: run-jail jail-config-name cmd ...

or in the init.d file.

As example use the postfix init script. Modify it like below:

run-jail pdnsd start-stop-daemon --start --quiet --exec /usr/sbin/pdnsd -- -t -s -d -p /var/run/pdnsd.pid ${PDNSDCONFIG}

Then stop and start the service again.

Or just use ping on cmdline: (the optional parameter –show display the full translated command)

run-jail ping ping heise.de -t 3 --show

FIXME: substitute numeric values into human readable names from ps-jail

In rsbac-tools there is a tool ps-jail which display processes are in a jail.

ps-jail -h

Or do a:

cat /proc/rsbac-info/jails

Jail-Configurations files

This policies are tested and working so far.

Optional

To turn off that message below this is not really needed:

<6>0000000131|rsbac_adf_request(): request GET_STATUS_DATA, pid 1586, ppid 1585, prog_name start-stop-daem, prog_file /sbin/start-stop-daemon, uid 0, target_type PROCESS, tid 1585, attr none, value none, result NOT_GRANTED by JAIL

Do as security user:

switch_adf_log GET_STATUS_DATA PROCESS 0

Jailed local programs for lazy people

For example, if you want jailed 'ping' or 'wget' automatic, this does not prevent a using the absolute path. The idea behind is simple add a new path to the environ variable PATH and put it on first place.

For this do:

mkdir /usr/local/jails

The profile must will modified, so that directory /usr/local/jails is the first search path.

For example it can looks like

if [ "$EUID" = "0" ] || [ "$USER" = "root" ] ; then
    PATH="/usr/local/jails:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${ROOTPATH}"
else
    PATH="/use/local/jails:/usr/local/bin:/usr/bin:/bin:${PATH}"
fi

Updating profile:

source /etc/profile

Now the '/usr/local/jails' directory in the first place to search for an executable file.

Note: The directory '/usr/local/jails' and 'run-jail' is hardcoded in run-jail script.

As example for how to use it, i take 'ping'.

create-jail -p ping 

Thats all.
Test it with

ping heise.de --show

Output should be similar like:

/usr/bin/rsbac_jail  -I 0.0.0.0 -r /bin/ping heise.de

The jail configuration file 'ping' must be exists but usally is shipped with the rsbac-tools.

When this wrapper has no need anymore then simple undo the '/etc/profile' modification and remove the '/usr/local/jails' directory.

Top