Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

port to FreeBSD #1

Open
fogti opened this issue Dec 17, 2022 · 2 comments
Open

port to FreeBSD #1

fogti opened this issue Dec 17, 2022 · 2 comments

Comments

@fogti
Copy link
Member

fogti commented Dec 17, 2022

It would be very nice to be able to use this from FreeBSD, but there exists no OCI runtime ecosystem for FreeBSD, and afaik also no support in the OCI runtime spec... so a completely separate implementation on top of (probably) FreeBSD jails + account limits would be necessary. An additional complication is that:

Jails are a powerful tool, but they are not a security panacea. While it is not possible for a jailed process to break out on its own, there are several ways in which an unprivileged user outside the jail can cooperate with a privileged user inside the jail to obtain elevated privileges in the host environment.
Most of these attacks can be mitigated by ensuring that the jail root is not accessible to unprivileged users in the host environment. As a general rule, untrusted users with privileged access to a jail should not be given access to the host environment.

afaik we can't ensure that restriction at all. A user can submit arbitrary executables to be executed in the sandboxed environment, and restricting the access inside the jail to an unprivileged user also seems non-trivial. I think additional account limits, at least outside of the jail (maybe also inside?) are necessary. And a bit of research to harden that.
@milahu
Copy link

milahu commented Dec 17, 2022

what would nix do on bsd? build without sandbox?
see #if __FreeBSD__ or #elif __FreeBSD__

limitation: NixOS/patchelf#36

see also: https://github.com/ployground/bsdploy

@fogti
Copy link
Member Author

fogti commented Dec 18, 2022

The Nix sandbox appears to be only supported on Linux and MacOS, and is only enabled by default on linux.
I wouldn't care about the patchelf limitation that much, because I'll try to avoid patchelf where'ever possible anyways, and want to build pretty much everything from source, and also modify too large builds (split them into smaller ones)...
https://github.com/NixOS/nix/blob/26c7602c390f8c511f326785b570918b2f468892/src/libstore/globals.hh#L450-L454

The most difficult part would be probably finding out how exactly chroot/jails need to be amended using account limits/restrictions and other such stuff so that executing arbitrary binaries is safe (that is, shouldn't be able to escape from the sandbox, and shouldn't be able to access files from the host besides those in the input closure, no access to network, and besides denial of service and kernel exploits shouldn't be able to otherwise disrupt system operation)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fogti @milahu