[[wiki:experiences/igraltist#JAIL|Back to igraltist's experiences/JAIL]]\\
====== run-jail ======
Iam using my own tool to manage the RSBAC JAIL.
See the [[http://hg.kasten-edv.de/rsbac-tools/file| mericurial repository]].
===== Prepearation =====
Three important necessary preparations are have to be done.
* Enable jail support in the kernel.
* Enable RSBAC Debug support (RSBAC ---> General Options ---> [*]RSBAC-Debugging), needed for developing the jail polices.
* Enable debugging jail while runtime (echo debug_adf_jail 1 > /proc/rsbac-info/debug) or with kernel boot paramater (rsbac_adf_jail).
===== Installation =====
You can checkout it via mercurial and install it with
hg checkout http://hg.kasten-edv.de/rsbac-tools
or downloaded with the webbrowser.
Then run:
python setup.py install
No more futher system modification are nessessary.
===== Syntax for jail configuration file =====
All jail configuration files are place in directory '/etc/rsbac/jail'.
Now a python script offer to write a new empty jail definition.\\
Maybe the name will change in future from this script to create-jail-config.\\
Just call:
create-jail -c my_config
Or the old way be copy paste:\\
Probably the best way to develop a new jail definition file is to start with an empty file like:
;
; Empty JAIL definition file
; 20060425
;
""
"0.0.0.0"
()
()
()
()
And then to try to start the program. After this attempt, check the security log file (/security/log/security-log) for entries related to the program you just started. Edit the JAIL definition accordingly. And try again.
Known issues
The file format is fixed. The order in which the elements are expected is fixed too. In other words, the quotes and parentheses must be used. Trying to load a file with a different format or will result in a read exception.
A JAIL file consists of six elements. These must appear in the file in the order in which they are specified here. And they must have the correct type. Comments can be added anywhere, they start with a semi-colon (;) and end at the end of the line. The JAIL file elements are:
To learn how to interpret the log messages to develop a jail policy see [[wiki:experiences/igraltist/run-jail/explain-jail-message|explain-jail-message]].
===== Explainaton of the syntax =====
The jail configuration file is split in six categories.
- "" chroot path
- "0.0.0.0" IP addresss
- () Jail flags
- () Jail capabilities
- () read System Control Data
- () modify System Control Data
\\
All jail parameters below based on rsbac 1.4.5.
**1.** This string specifies the optional chroot path. Since it is a string, it must be enclosed in double quotes (i.e. “). The empty string (i.e. ““) should be used when no chroot should be performed.
**2.** It is possible to use "interface", "ip-address" or ""
| ^Description^
|"interface"|The interface it must be a valid name something line eth0. If interface is used, then is taken the ip-address from /sbin/ifconfig interface.|
|"ip-address"|When the ip-address is be used it must be a valid the ip-address. If the ip-address not associated with an interface, then rsbac-jail throws an exception.|
|""|If an empty string is given is set it to 0.0.0.0 and this means ignore IP.|
\\
**3.** Each JAIL has a number of rights which can be configured when the JAIL is created.
^jail flags^Explanation^RSBAC cmdline^
|auto-adjust-ip-address|Automatically adjust the INET any address 0.0.0.0 to the jail address, if set.|-a|
|allow-all-net-family|Allow all network families, not only IPv4.|-n|
|allow-dev-get-status|Allow GET_STATUS_DATA requests on devices.|-e|
|allow-dev-mod-system|Allow MODIFY_SYSTEM_DATA requests.|-E|
|allow-dev-read|Allow read access on devices.|-d|
|allow-dev-write|Allow write access on devices.|-D|
|allow-external-ipc|Allow access to IPC and UNIX domain sockets outside this jail.|-i|
|allow-inet-localhost|Additionally allow to/from remote IPv4 localhost, that is, address 127.0.0.1|-o|
|allow-inet-raw|Allow IPv4 raw sockets (e.g. for ping and traceroute)|-r|
|allow-ipc-parent|Allow access to the parent jail.|-P|
|allow-ipc-syslog|Allow to use the char device from syslog|-y|
|allow-mount|Allow mount/umount devices|-u|
|allow-netlink|Allow NETLINK as network family|-K|
|allow-suid|Allow setuid|-s|
|allow-tty-open|Allow to open tty devices.|-t|
|private-namespace|Process to include into private names pace.|-N|
|this-is-syslog|Needing if the jail is for syslog daemon|-Y|
|virtual-user|Use virtual user set.|-V|
|verbose|Verbose output|-v|
\\
**4.** Allow to configure jail capabilities.
^jail capabilities^Explanation^RSBAC cmdline^
|audit-control|To be written.|AUDIT_CONTROL|
|audit-write|To be written.|AUDIT_WRITE|
|chown|To be written.|CHOWN|
|dac-override|To be written.|DAC_OVERRIDE|
|dac-read-search|To be written.|DAC_READ_SEARCH|
|fowner|To be written.|FOWNER|
|fsetid|To be written.|FSETID|
|ipc-lock|To be written.|IPC_LOCK|
|ipc-owner|To be written.|IPC_OWNER|
|kill|To be written.|KILL|
|lease|To be written.|LEASE|
|linux-immutable|To be written.|LINUX_IMMUTABLE|
|mknod|To be written.|MKNODE|
|net-admin|To be written.|NET_ADMIN|
|net-bind-service| Allow to bind a service to a privileged port.|NET_BIND_SERVICE|
|net-broadcast|To be written.|NET_BROADCAST|
|net-raw|To be written.|NET_RAW|
|setgid|To be written.|SETGID|
|setuid|To be written.|SETUID|
|setfcap|To be written.|SETFCAP|
|setpcap|To be written.|SETPCAP|
|sys-admin|To be written.|SYS_ADMIN|
|sys-boot|To be written.|SYS_BOOT|
|sys-chroot|To be written.|SYS_CHROOT|
|sys-module|To be written.|SYS_MODULE|
|sys-nice|To be written.|SYS_NICE|
|sys-rawio|To be written.|SYS_RAWIO|
|sys-pacct|To be written.|SYS_PACCT|
|sys-ptrace|To be written.|SYS_PTRACE|
|sys-resource|To be written.|SYS_RESOURCE|
|sys-time|To be written.|SYS_TIME|
|sys-tty-config|To be written.|SYS_TTY_CONFIG|
\\
**5.** SCD is short for System Control Data. Each SCD target refers to a global system object, such as the system clock, the packet filter rules, the hostname, etc. These objects can be protected too by RSBAC by setting access rights to their corresponding SCD targets. Adding an SCD target to this list will grant read permissions. E.g. if you add clock to the list, the program is allowed to read the system clock.
^jail scd^Explanation^RSBAC cmdline^
|capability|Change Linux capabilities|capability|
|clock|System time and date|clock|
|firewall|Firewall settings, packet filter etc.|firewall|
|host-id|Host name|host_id|
|ioports|Access Control for direct hardware access|ioports|
|kexec|To be written.|kexec|
|kmem|Direct access to kernel memory via proc or device|kmem|
|ksyms|Kernel symbols|ksyms|
|mlock|Memory locking|mlock|
|net-id|Domain name|net_id|
|network|To be written.|network|
|nfsd|Kernel NFS server administration|nfsd|
|other|Any other SCD not specified separately|other|
|priority|Set scheduler priority (nice value)|priority|
|rlimit|Setting process ressource limits|rlimit|
|rsbac|RSBAC data in /proc|rsbac|
|rsbac-log|RSBAC own log|rsbac-log|
|rsbac-remote-log|Settings for RSBAC remote logging|rsbac_remote_log|
|sysctl|Administrate through sysctl|sysctl|
|sysfs|Administrate through sysfs|sysfs|
|syslog|System log|syslog|
|swap|Control of swapping|swap|
|time-strucs|System timer|time_strucs|
|quota|Quota administration|quota|
|videomem|Allow direct access to video memory|videomem|
\\
**6.** The same as the one above on point 5., except that modify rights are granted instead of read rights.
\\
A fully working example :
;
; RSBAC JAIL definition for apache
; 20060419
;
; Tested by:
; Fuleki Miklos (RAk)
; Peter Busser (peter)
;
""
"0.0.0.0"
(allow-dev-read
allow-dev-write
allow-external-ipc)
(setgid
setuid
net-bind-service
kill)
(sysctl)
(rlimit)
The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability).Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits.
===== Usage =====
You can run it on command line
usage: run-jail jail-config-name cmd ...
or in the init.d file.
As example use the postfix init script. Modify it like below:
run-jail pdnsd start-stop-daemon --start --quiet --exec /usr/sbin/pdnsd -- -t -s -d -p /var/run/pdnsd.pid ${PDNSDCONFIG}
Then stop and start the service again.
Or just use ping on cmdline:
(the optional parameter --show display the full translated command)
run-jail ping ping heise.de -t 3 --show
FIXME: substitute numeric values into human readable names from ps-jail
In rsbac-tools there is a tool ps-jail which display processes are in a jail.
ps-jail -h
Or do a:
cat /proc/rsbac-info/jails
===== Jail-Configurations files =====
This policies are tested and working so far.
* [[http://hg.kasten-edv.de/rsbac-tools/file/tip/cfg/jail|Example configurations for run-jail]]
===== Optional =====
To turn off that message below this is not really needed:
<6>0000000131|rsbac_adf_request(): request GET_STATUS_DATA, pid 1586, ppid 1585, prog_name start-stop-daem, prog_file /sbin/start-stop-daemon, uid 0, target_type PROCESS, tid 1585, attr none, value none, result NOT_GRANTED by JAIL
Do as security user:
switch_adf_log GET_STATUS_DATA PROCESS 0
====== Jailed local programs for lazy people =====
For example, if you want jailed 'ping' or 'wget' automatic, this does not prevent a using the absolute path.
The idea behind is simple add a new path to the environ variable PATH and put it on first place.
For this do:
mkdir /usr/local/jails
The profile must will modified, so that directory /usr/local/jails is the first search path.
For example it can looks like
if [ "$EUID" = "0" ] || [ "$USER" = "root" ] ; then
PATH="/usr/local/jails:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${ROOTPATH}"
else
PATH="/use/local/jails:/usr/local/bin:/usr/bin:/bin:${PATH}"
fi
Updating profile:
source /etc/profile
Now the '/usr/local/jails' directory in the first place to search for an executable file.
Note: The directory '/usr/local/jails' and 'run-jail' is hardcoded in run-jail script.
As example for how to use it, i take 'ping'.
create-jail -p ping
Thats all.\\
Test it with
ping heise.de --show
Output should be similar like:
/usr/bin/rsbac_jail -I 0.0.0.0 -r /bin/ping heise.de
The jail configuration file 'ping' must be exists but usally is shipped with the rsbac-tools.
When this wrapper has no need anymore then simple undo the '/etc/profile' modification and remove the '/usr/local/jails' directory.
[[wiki:experiences/igraltist/run-jail#run-jail|Top]]\\