[continued from previous message]
Contact: Baptiste Daroussin
This project aims at allowing controlled process credentials transitions
without using setuid executables but instead leveraging our MAC framework. For
an overall presentation, we refer the reader to the previous quarter’s
report.
As this is a progress report, we only recall the outline here.
In a nutshell, this project comprises two components:
• mac_do(4) is the kernel module that checks credentials transition
requests
and authorizes those that match rules configured by the administrator.
• mdo(1) is the userland program playing the role of a mediator between
processes wanting to launch other processes with changed credentials and
mac_do(4), whose function is to authorize only specific such changes.
setcred(2) is the new system call at the interface between them. It enables
userland to request various credentials changes atomically, allowing mac_do
(4) to base its decision on the transition between the initial and desired
final credentials.
Both prerequisite commits and changes in MAC/do proper have been reviewed and
all commits have finally been pushed to FreeBSD’s main branch, including
documentation in the form of a new manual page for setcred(2) and changes to
the mac_do(4) one to match the new sysctl(8) knobs and rules syntax.
Rules can now express finely which groups are allowed in the resulting
credentials for a given UID or GID, notably making it possible to specify which
target primary and supplementary groups the final credentials can, or must, or
must not include. Please consult mac_do(4) for a description of the new syntax
and examples.
Future work, in no particular order and timeframe, may include:
• For the mac_do(4) component:
□ Currently, it can only grant credentials transitions for processes
spawned from the /usr/bin/mdo executable. The possibility to tweak this
path may be interesting for custom thin jail layouts. The ability to
have several such paths is one of the missing pieces to be able to use
mac_do(4) in conjunction with other credentials-granting programs such
as sudo(1) and doas(1).
□ mac_do(4) currently can only grant new credentials if they are
requested via the new setcred(2), as it needs to see the current and
desired final credentials to make a decision. However, each call to
traditional and standard credentials-changing functions, such as setuid
(2), seteuid(2), etc., can be considered as a (limited) full transition
on its own, which mac_do(4) could decide upon. This functionality could
allow to more finely control transitions to root and, combined with
that of the previous point, to install and use credentials-granting
programs without the "setuid" bit. However, the full power of this new
mac_do(4) module version cannot be harnessed without modifying these
programs to use setcred(2).
• For the mdo(1) component:
□ The credentials transitions that can be requested are fairly limited
compared to what mac_do(4)'s rules can allow. It would be useful to
make it possible to:
☆ Specify any list of target groups (primary or supplementary),
possibly based on user names (with the implicit list coming from
the contents of /etc/passwd and /etc/group) but allowing some
tweaks (such as excluding a particular group in the final
credentials).
☆ Allow changes of groups only.
☆ Request a password before calling setcred(2) in certain cases.
This
weakens the security paradigm of the mac_do(4)/mdo(1) combination,
as it would now rely on userland for part of the gating process,
but seems acceptable in many cases.
☆ Grow a mode producing the target part of rules corresponding to
the
contents of the password and group databases for some users.
We welcome any feedback on this new version and the future-work list above.
Sponsor: The FreeBSD Foundation
Sponsor: Kumacom SARL
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
Suspend/Resume Improvements
Links:
Blog URL: https://obiw.ac/s0ix/
Working Branch URL: https://github.com/obiwac/freebsd-s0ix
Contact: obiwac
Suspend-to-idle and support for S0ix sleep is in the process of being added to
FreeBSD.
This will allow modern Intel and AMD laptops (e.g. AMD and newer Intel
Framework laptops), some of which do not support ACPI S3 sleep, to enter low
power states to increase battery life.
Ben Widawsky from Intel started working on this in 2018 but his work was never
finished and is now outdated. His work has now been picked up and the first
goal is to get suspend/resume working on the Framework 13 AMD Ryzen 7040 series
by end of January. There are plans for presenting initial results at a talk at
FOSDEM.
Currently, all device power constraints on AMD can already be parsed to enter a
system’s low power states.
Sponsor: The FreeBSD Foundation
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
umb(4) driver for MBIM USB 4G/5G modems
Links:
UMB(4) - OpenBSD Device Drivers Manual URL: https://man.openbsd.org/umb
UMB(4) - NetBSD Kernel Interfaces Manual URL: https://man.netbsd.org/umb.4
Bug 263783 - USB MBIM: Support for LTE/4G USB modems URL:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263783
Introduce the USB umb(4) network driver URL: https://reviews.freebsd.org/D48167
Contact: Pierre Pronchery
The Mobile Broadband Interface Model (MBIM) is a protocol for communication
with network USB devices, transmitting packet data over mobile broadband
networks. Implementing this protocol adds support for a whole range of USB
devices providing connectivity to mobile networks, such as 4G, 5G, and their
subsequent technological evolutions.
A first implementation for this protocol was performed for OpenBSD in 2016,
under the name umb(4). I have ported it myself to NetBSD under the same name,
back in 2019. I was then contracted to make it work with OPNSense, and
authorized to publish it as Open Source in 2022. Unfortunately, by this time,
some changes in FreeBSD effectively broke the driver, and it could not be
merged until fixed.
This quarter I have managed to offer an updated version and confirmed it
working (thanks Mike and Zhenlei!). This version is now under review in
Phabricator as D48167. The submission is still based on code from 2020, and
behind progress made by OpenBSD since that time. As such, it is currently
restricted to IPv4. However, I believe it makes sense to keep the review simple
and focus on the design decisions and integration, before progressively
importing the improvements made upstream since then in OpenBSD (notably IPv6
support).
In its current form, the driver was modified from being out of tree and
[continued in next message]
--- SoupGate-DOS v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
