=>  Releases

Stable: 1.3.7
for kernels:

  • 2.4.36
  • 2.6.23.14

Devel 1.4: 1.4.0-rc3
for kernels:

  • 2.4.36.9
  • 2.6.27.5

Full RSBAC kernels
Lazy of patching ? Get the already rsbac-patched kernel. Choose your flavor.

Classic kernels
Includes vanilla kernel with the RSBAC patch

  • 2.6.23.14
  • 2.4.35.3

Enhanced kernels
Kernels including latest security fixes, goodies, and of course PaX+RSBAC

  • 2.6.23.15 (20080217)
  • 2.4.36 (20080217)

Debian repository
Also works for Ubuntu and other Debian-based distributions, of course

SVN
Cutting edge RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Back to igraltist's experiences

run-jail

run-jail is a python-script. Two files are nessesary to using it.

syntax for configfile

; example daemon
; date 0.0.0000
; testet by 
""
""
()
()
()
()

explanation the syntax

The jailconfigurationfile is seperated in 6 categories. 

This two "" lines are 
1."" chroot path
2."0.0.0.0" IP addresss

Explanation to point 2. 

Is possible to set "auto", "interface", "ip-address" or ""
"auto":
  If auto is set then its looks with /sbin/route for default UG and take this interface
  and from this interface its take the ip-address. 
  When not found a default UG, then its set the ip-address from localhost.
"interface":
  If interface is set, then its set the ip-address from /sbin/ifconfig interface.
"ip-address":
  If ip-address is set, its valid the ip-address and set it. 
  If the ip-address is not associated with an interface, then rsbac-jail throws an exception.
"":
  If "" empty string is given is set it to 0.0.0.0 and this means ignore IP.
This categories () stand for
3.() => jail_flags
4.() => cap_max
5.() => scd GET_STATUS_DATA
6.() => scd MODIFY_SYSTEM_DATA
The values for this categories from points 3-6. are must seperate through a newline!
Example:
 (allow-all-net-family
  allow-external-ipc
  allow-dev-read
  auto-adjust-ip-address)
 
 (allow-all-net-family
  
   allow-external-ipc
  allow-dev-read
  
  auto-adjust-ip-address
 )  
  
 (
  allow-all-net-family
       allow-external-ipc
     allow-dev-read
           auto-adjust-ip-address
 )

prepear to use run-jail

Three important necessary preparations should do.

  1. Configure the Jail support.
  2. Include RSBAC Debug support 1)
  3. Enable debugging Jail while runtime 2)

I have placed all configurationfiles under ‘/etc/rsbac/jail/’. I took it from other old adamantix-system.

For simple remebering I do 

ln -s /path_to/run-jail.py to /bin/run-jail

To get away this message, this is printed more times, and is not really needed, do: 

<6>0000000131|rsbac_adf_request(): request GET_STATUS_DATA, pid 1586, ppid 1585, prog_name start-stop-daem, prog_file /sbin/start-stop-daemon, uid 0, target_type PROCESS, tid 1585, attr none, value none, result NOT_GRANTED by JAIL
 switch_adf_log GET_STATUS_DATA PROCESS 0

Usage run-jail

  usage: run-jail jail-config-name cmd ...

example for init scripts

  run-jail postfix /usr/sbin/postfix start
 
  run-jail pdnsd start-stop-daemon --start --quiet --exec /usr/sbin/pdnsd \
		-- -t -s -d -p /var/run/pdnsd.pid ${PDNSDCONFIG}

example for pdnsd

pdnsd-jail-config 

;
; RSBAC JAIL definition for pdnsd
; 20081407
;
; Tested by:
; Jens Kasten (igraltist) on gentoo
;
 
""
"0.0.0.0"
(allow-dev-read
 allow-dev-write
 allow-inet-raw
 allow-ipc-syslog
 allow-ipc-parent)
(setgid
 setuid
 net-bind-service
 net-raw
 sys-ptrace
 sys-resource)
(sysctl)
(rlimit
 priority)

Restart the service. 

/etc/init.d/pdnsd restart
 
This is execute now:
rsbac_jail  -d -D -r -y -P -C  SETGID SETUID NET_BIND_SERVICE NET_RAW SYS_PTRACE SYS_RESOURCE -G  sysctl -M  rlimit priority start-stop-daemon  --start --quiet --exec /usr/sbin/pdnsd -- -t -s -d -p /var/run/pdnsd.pid

explanation howto get values for the jail-config

As security user do a: 

cat /proc/rsbac-info/rmsg

See on jail-explain-message.

Jail-Configurations files

This policies are tested and working so far.



Jail-Wrapper

If you want for example ‘ping’ or ‘wget’ jailed too, then simply do 

mkdir /a_bin /a_sbin

and modify the ‘/etc/profile’. 

--- profile_org	2008-07-14 06:00:39.000000000 +0200
+++ profile	2008-07-14 06:11:30.000000000 +0200
@@ -22,9 +22,9 @@
 # This way the evaluation can be short-circuited and calling whoami is
 # avoided.
 if [ "$EUID" = "0" ] || [ "$USER" = "root" ] ; then
-	PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${ROOTPATH}"
+	PATH="/a_bin:/a_sbin:/usr/local/kvm/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${ROOTPATH}"
 else
-	PATH="/usr/local/bin:/usr/bin:/bin:${PATH}"
+	PATH="/a_bin:/usr/local/bin:/usr/bin:/abin:${PATH}"
 fi
 export PATH
 unset ROOTPATH

For updating the Path do: 

source /etc/profile

The linux searchpathorder is in ABC order. So when a directory starts with ‘a_’, this will be always the first for look request. I take the example ‘ping’.

Simply create a file ‘/a_bin/jail_wrapper’ with this content. 

#!/bin/bash
PATH=/bin:/usr/bin:/usr/local/bin
name=$(echo $0 | sed -e 's/\(\/a_bin\/\)\([a-z,A-Z]\+$\)/\2/')
run-jail ${name} ${name} ${@}
chmod +x /a_bin/jail_wrapper
cd /a_bin
ln -s  jail_wrapper ping

Thats all. Now in the directory ‘/etc/rsbac/jail’, have to the ping-jailconfig exists.

When this wrapper should not work anymore then simple undo the ‘/etc/profile’ or move the ‘/a_bin’ to ‘/z_bin’. Then the original /bin/ping would be executed, without rsbac_jail again.

Top

1) RSBAC → General Options → RSBAC-Debugging
2) echo debug_adf_jail 1 > /proc/rsbac-info/debug
 

wiki/experiences/igraltist/run-jail.txt · Last modified: 2008/09/27 16:57 by 79.210.124.133
This website is kindly hosted by m-privacy