run-jail

Visit the mericurial repository.

Three important necessary preparations are have to be done.

• Enable jail support in the kernel.
• Enable RSBAC Debug support (RSBAC —> General Options —> [*]RSBAC-Debugging), needed for developing the jail polices.
• Enable debugging jail while runtime (echo debug_adf_jail 1 > /proc/rsbac-info/debug) or with kernel boot paramater (rsbac_adf_jail).

You can checkout it via mercurial and install it with

hg checkout http://hg.kasten-edv.de/rsbac-tools

or downloaded with the webbrowser. Then run:

python setup.py install

No more futher system modification are nessessary.

All jail configuration files are place in directory '/etc/rsbac/jail'.

Now a python script offer to write a new empty jail definition. Maybe the name will change in future from this script to create-jail-config. Just call: <code bash> create-jail -c my_config </code> Or the old way be copy paste:
Probably the best way to develop a new jail definition file is to start with an empty file like: <code bash> ; ; Empty JAIL definition file ; 20060425 ; “” “0.0.0.0” () () () () </code> And then to try to start the program. After this attempt, check the security log file (/security/log/security-log) for entries related to the program you just started. Edit the JAIL definition accordingly. And try again. Known issues The file format is fixed. The order in which the elements are expected is fixed too. In other words, the quotes and parentheses must be used. Trying to load a file with a different format or will result in a read exception. A JAIL file consists of six elements. These must appear in the file in the order in which they are specified here. And they must have the correct type. Comments can be added anywhere, they start with a semi-colon (;) and end at the end of the line. The JAIL file elements are: To learn how to interpret the log messages to develop a jail policy see explain-jail-message. ===== Explainaton of the syntax ===== The jail configuration file is split in six categories. - “” chroot path - “0.0.0.0” IP addresss - () Jail flags - () Jail capabilities - () read System Control Data - () modify System Control Data
All jail parameters below based on rsbac 1.4.5. 1. This string specifies the optional chroot path. Since it is a string, it must be enclosed in double quotes (i.e. “). The empty string (i.e. ““) should be used when no chroot should be performed. 2. It is possible to use “interface”, “ip-address” or “” | ^Description^ |“interface”|The interface it must be a valid name something line eth0. If interface is used, then is taken the ip-address from /sbin/ifconfig interface.| |“ip-address”|When the ip-address is be used it must be a valid the ip-address. If the ip-address not associated with an interface, then rsbac-jail throws an exception.| |““|If an empty string is given is set it to 0.0.0.0 and this means ignore IP.|
3. Each JAIL has a number of rights which can be configured when the JAIL is created. ^jail flags^Explanation^RSBAC cmdline^ |auto-adjust-ip-address|Automatically adjust the INET any address 0.0.0.0 to the jail address, if set.|-a| |allow-all-net-family|Allow all network families, not only IPv4.|-n| |allow-dev-get-status|Allow GET_STATUS_DATA requests on devices.|-e| |allow-dev-mod-system|Allow MODIFY_SYSTEM_DATA requests.|-E| |allow-dev-read|Allow read access on devices.|-d| |allow-dev-write|Allow write access on devices.|-D| |allow-external-ipc|Allow access to IPC and UNIX domain sockets outside this jail.|-i| |allow-inet-localhost|Additionally allow to/from remote IPv4 localhost, that is, address 127.0.0.1|-o| |allow-inet-raw|Allow IPv4 raw sockets (e.g. for ping and traceroute)|-r| |allow-ipc-parent|Allow access to the parent jail.|-P| |allow-ipc-syslog|Allow to use the char device from syslog|-y| |allow-mount|Allow mount/umount devices|-u| |allow-netlink|Allow NETLINK as network family|-K| |allow-suid|Allow setuid|-s| |allow-tty-open|Allow to open tty devices.|-t| |private-namespace|Process to include into private names pace.|-N| |this-is-syslog|Needing if the jail is for syslog daemon|-Y| |virtual-user|Use virtual user set.|-V| |verbose|Verbose output|-v| |debug|Optional to obtain only the output add debug. This is not a rsbac_jail parameter.||
4. Allow to configure jail capabilities. ^jail capabilities^Explanation^RSBAC cmdline^ |audit-control|To be written.|AUDIT_CONTROL| |audit-write|To be written.|AUDIT_WRITE| |chown|To be written.|CHOWN| |dac-override|To be written.|DAC_OVERRIDE| |dac-read-search|To be written.|DAC_READ_SEARCH| |fowner|To be written.|FOWNER| |fsetid|To be written.|FSETID| |ipc-lock|To be written.|IPC_LOCK| |ipc-owner|To be written.|IPC_OWNER| |kill|To be written.|KILL| |lease|To be written.|LEASE| |linux-immutable|To be written.|LINUX_IMMUTABLE| |mknod|To be written.|MKNODE| |net-admin|To be written.|NET_ADMIN| |net-bind-service| Allow to bind a service to a privileged port.|NET_BIND_SERVICE| |net-broadcast|To be written.|NET_BROADCAST| |net-raw|To be written.|NET_RAW| |setgid|To be written.|SETGID| |setuid|To be written.|SETUID| |setfcap|To be written.|SETFCAP| |setpcap|To be written.|SETPCAP| |sys-admin|To be written.|SYS_ADMIN| |sys-boot|To be written.|SYS_BOOT| |sys-chroot|To be written.|SYS_CHROOT| |sys-module|To be written.|SYS_MODULE| |sys-nice|To be written.|SYS_NICE| |sys-rawio|To be written.|SYS_RAWIO| |sys-pacct|To be written.|SYS_PACCT| |sys-ptrace|To be written.|SYS_PTRACE| |sys-resource|To be written.|SYS_RESOURCE| |sys-time|To be written.|SYS_TIME| |sys-tty-config|To be written.|SYS_TTY_CONFIG|
5. SCD is short for System Control Data. Each SCD target refers to a global system object, such as the system clock, the packet filter rules, the hostname, etc. These objects can be protected too by RSBAC by setting access rights to their corresponding SCD targets. Adding an SCD target to this list will grant read permissions. E.g. if you add clock to the list, the program is allowed to read the system clock. ^jail scd^Explanation^RSBAC cmdline^ |capability|Change Linux capabilities|capability| |clock|System time and date|clock| |firewall|Firewall settings, packet filter etc.|firewall| |host-id|Host name|host_id| |ioports|Access Control for direct hardware access|ioports| |kexec|To be written.|kexec| |kmem|Direct access to kernel memory via proc or device|kmem| |ksyms|Kernel symbols|ksyms| |mlock|Memory locking|mlock| |net-id|Domain name|net_id| |network|To be written.|network| |nfsd|Kernel NFS server administration|nfsd| |other|Any other SCD not specified separately|other| |priority|Set scheduler priority (nice value)|priority| |rlimit|Setting process ressource limits|rlimit| |rsbac|RSBAC data in /proc|rsbac| |rsbac-log|RSBAC own log|rsbac-log| |rsbac-remote-log|Settings for RSBAC remote logging|rsbac_remote_log| |sysctl|Administrate through sysctl|sysctl| |sysfs|Administrate through sysfs|sysfs| |syslog|System log|syslog| |swap|Control of swapping|swap| |time-strucs|System timer|time_strucs| |quota|Quota administration|quota| |videomem|Allow direct access to video memory|videomem|
6. The same as the one above on point 5., except that modify rights are granted instead of read rights.
A fully working example : <code bash> ; ; RSBAC JAIL definition for apache ; 20060419 ; ; Tested by: ; Fuleki Miklos (RAk) ; Peter Busser (peter) ; ”” “0.0.0.0” (allow-dev-read allow-dev-write allow-external-ipc) (setgid setuid net-bind-service kill) (sysctl) (rlimit) </code> The above example does not run the application in a chroot. It is not restricted to any particular nework interface. And it allows reads and writes to devices, as well as other network protocols than IPv4. The program is allowed to perform setuid(), setgid(), open low network ports (net-bind-service capability) and to send signals to processes which owned by other users (kill capability). Furthermore it is allowed to read sysctl data and to modify (i.e. set) process resource limits. ===== Usage ===== You can run it on command line <code bash> usage: run-jail jail-config-name cmd … </code> or in the init.d file. As example I use the postfix init script. Modify it like below: <code bash> run-jail pdnsd start-stop-daemon –start –quiet –exec /usr/sbin/pdnsd – -t -s -d -p /var/run/pdnsd.pid ${PDNSDCONFIG} </code> Then stop and start the service again. : substitute numeric values into human readable names from ps-jail In rsbac-tools there is a tool ps-jail which display processes are in a jail. Or does a: <code bash> cat /proc/rsbac-info/jails </code> ===== Jail-Configurations files ===== This policies are tested and working so far. * Setup for apache2 * Setup for apcupsd * Setup for cron * Setup for dbus * Setup for ddclient * Setup for dhcpd * Setup for dmeventd * Setup for hald * Setup for ntpd * Setup for pdnsd * Setup for ping * Setup for portmap * Setup for postfix * Setup for powernowd * Setup for rklogd * Setup for rsync * Setup for samba * Setup for squid * Setup for syslogd * Setup for syslog-ng * Setup for wget * Setup for vixie-cron ===== Optional ===== To turn off that message below this is not really needed: <code bash> <6>0000000131|rsbac_adf_request(): request GET_STATUS_DATA, pid 1586, ppid 1585, prog_name start-stop-daem, prog_file /sbin/start-stop-daemon, uid 0, target_type PROCESS, tid 1585, attr none, value none, result NOT_GRANTED by JAIL </code> Do as security user: <code bash> switch_adf_log GET_STATUS_DATA PROCESS 0 </code> For example, if you want jailed 'ping' or 'wget' automatic, therefor I have done: <code bash> mkdir /jails </code> The profile must will modified, so that 'bash' in the directory jails as first search. Therefor I have inserted on begin in the PATH the new jails directory. For example it can looks like <code bash> if [ “$EUID” = “0” ] || [ “$USER” = “root” ] ; then PATH=“/usr/local/jails:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${ROOTPATH}” else PATH=“/use/local/jails:/usr/local/bin:/usr/bin:/bin:${PATH}” fi </code> For updating the path execute: <code bash> source /etc/profile </code> Now the 'jails' directory in the first place to search for a binary file. Note: The directory '/usr/local/jails' and 'run-jail' is hardcoded in run-jail script. As example for how to use it, i take 'ping'. <code bash> ln -sf /bin/ping /usr/local/jails/ping </code> Thats all. The jail configuration file 'ping' must be exists. When this wrapper not will needed anymore then simple undo the '/etc/profile' modification and remove the 'jails' directory. Top