forked from freebsd/freebsd-src
-
Notifications
You must be signed in to change notification settings - Fork 1
/
curtain.conf.defaults
399 lines (338 loc) · 9.38 KB
/
curtain.conf.defaults
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
# Sections can be introduced with a line with tags between square brackets. All
# following lines until the next section will only apply when the section's
# needed tags are enabled.
#
# [tag_name]
#
# Juxtaposed tags (higher precedence) must all match (and), tags separated by
# commas (lower precedence) are alternatives (or).
#
# [a b, c d, e] # needs a and b, or c and d, or e alone
#
# Tags should generally be named after applications or libraries. curtain(1)
# will enable tags named after the executed program when given the "-a" flag.
# By convention, a name is prefixed with "_" to indicate that it is not named
# after an application.
#
# One or more tags to enable can be specified following a colon. This is
# equivalent to the "merge" directive.
#
# [some_app _something_else : some_other_app _some_permissions]
#
# There are directives to specify permission to use abilities, sysctls, ioctls,
# privileges, etc, and to specify filesystem path unveils, include other
# configuration files, etc. Lines that look like a path will be interpreted as
# if they were an argument to the "path" directive.
#
# Directives within a section are applied as part of the same "slot". Within a
# slot, more specific permissions can override less specific ones. Across
# slots, permissons a merged additively.
#
# Individual directives can also be suffixed with bracketed tags on the same
# line. The directive will only be applied if both its corresponding section's
# tags and its suffixed tags match. This is mostly intended as a shortcut, but
# one difference is that directives with suffixed tags are not applied in a
# separate slot.
#
# Path patterns support brace expansion, tilde expansion and environment
# variable expansion similar to shells. Permissions are specified following a
# colon and default to read-only access. An octal or symbolic creation mode
# can follow which will be used to create the file (or directory if the path
# ends with "/") if it does not exist. Mode "+" can be used to create
# files/directories with default umask(2) permissions.
#
# Path permissions:
#
# r: Read files, list directories content
# w: Write files, create/delete files/directories, change attributes
# m: Write files
# p: Append to files
# c: Create files/directories
# d: Delete files/directories
# a: Change attributes
# u: Create and connect to local-domain sockets
# v: Connect to local-domain sockets
# b: List directories content
# l: List directory content (not inherited)
# i: Inspect (stat(2)) file/directory (not inherited)
# x: Execute files
# s: Execute non-binary, interpreted files
# D: Special devfs exemptions
# t: Special tmpdir access
#
# Note that this is significantly different from unveil(3) permission strings!
# Also note that curtain(1) will generally run applications with the equivalent
# of a very permissive pledge(3) with regard to filesystem access, so limiting
# path permissions is more important than for pledged applications (notably,
# writable /dev files should not be given the "w" permission unless changing
# their attributes should also be allowed).
[_stdio]
/dev/null : rm
/dev/stdin : r
/dev/std{out,err} : rm
/dev/fd/ : rm
/dev/full : rm
/dev/zero : rm
/dev/{u,}random : r
/etc/localtime : r
/etc/malloc.conf : r
ability core mman fdesc genio poll ioctl pipe status getrlimit clock timer
ability sighand sigmask sigwait
ability sockio
ability getcred
ability sysinfo
ability wait
ability vfs_read vfs_write vfs_statfs
ability cap_sysctl
sysctl hw.machine{,_arch}
sysctl kern.version
sysctl vm.overcommit
sysctl hw.availpages
sysctl kern.iov_max
sysctl kern.proc.{args,pathname}
[_crude : _stdio]
ability thread
ability setrlimit
ability sched
ability procctl
ability curtain # enough for pledge(3)/unveil(3)
sysctl security.curtain.curtained{,_exec}
merge _vfs
merge _libs
merge _share
merge _localbase
[_basic : _crude] # base for many application profiles
merge _tty
merge _proc
merge _ps
merge _unix
merge _exec
merge _cmds
# Permission tower used by curtain(1)'s -0 to -9 options.
# Probably should not be used for application profiles.
[_level0]
[_level1 : _level0]
merge _crude
[_level2 : _level1]
merge _basic
merge _network
[_level3 : _level2]
merge _fdpass
ability acl
ability mac
ability extattr
ability chflags
# May allow privilege escalations if untrusted processes have access to paths
# writable by the sandboxed process.
ability!! fsugid # chmod ug+s
[_level4 : _level3]
merge _pty
merge _cryptodev
ability sysvipc
ability posixshm
ability mlock
ability aio
ability sendfile
ability setcred
ability reap
ability aslr
[_level5 : _level4] # curtain(1)'s default
ability chroot
ability chown
ability any_cred
ability! sysflags
[_level6 : _level5]
merge _tmpdir_exec
ability prot_exec
[_level7 : _level6]
merge _fdpassdir
ability rfork
ability cpuset
ability getquota
ability kmodstat
[_level8 : _level7]
merge _debug
ability! trace
[_level9 : _level8]
merge _pwddb
merge _syslog
ability any_ioctl
ability any_sysctl
[_vfs]
ability vfs_statfs vfs_read vfs_write vfs_create vfs_delete vfs_unbind vfs_fifo vfs_setattr
ability flock fattr fmode_special
ability mount_list
[_posixshm]
ability posixshm
sysctl kern.ipc.posix_shm_list
[_proc]
ability fork status sigsend wait
[_ps]
ability ps
sysctl kern.pid_max
sysctl kern.proc.{all,{proc,gid,pgrp,rgid,sid,tty,uid,ruid,pid}{,_td}}
sysctl kern.proc.args
sysctl kern.proc.pathname
sysctl kern.proc.groups
sysctl kern.proc.rlimit
sysctl kern.proc.umask
sysctl kern.proc.osrel
[_debug]
ability debug
[_debug _ps]
sysctl kern.proc.{env,auxv}
sysctl kern.proc.sv_name
sysctl kern.proc.vmmap
sysctl kern.proc.kstack
sysctl kern.proc.ps_strings
sysctl kern.proc.sigtramp
sysctl kern.proc.sigfastblk
sysctl kern.proc.vm_layout
[_localbase]
sysctl user.localbase
[_rtld]
ability prot_exec_loose
/etc/libmap.conf : r
/var/run/ld-elf.so.hints : r
/libexec/ld-elf.so.1 : rx
/etc/libmap32.conf : r [_compat32]
/usr/local/etc/libmap.d/ : r [_localbase]
[_exec : _libs]
ability exec
[_libs : _rtld]
/usr/libdata/ : r
{,/usr}/lib/ : rx
/usr/lib32/ : rx [_compat32]
[_libs _localbase]
/usr/local/libdata/ : r
/usr/local/lib/ : rx
/usr/local/llvm{9,1{0,1,2,3,4,5}}/lib/ : rx
/usr/local/lib32/ : rx [_compat32]
[_cmds : _exec]
{,/usr}/libexec/ : rx
{,/usr}/{bin,sbin}/ : rx
/usr/bin32/ : rx [_compat32]
[_cmds _localbase]
/usr/local/libexec/ : rx
/usr/local/{bin,sbin}/ : rx
/usr/local/bin32/ : rx [_compat32]
[_share]
/usr/share/ : r
/usr/local/man/ : r [_localbase]
# NOTE: Some packages install executables in /usr/local/share.
/usr/local/share/ : rx [_localbase]
[_sock]
ability sock
# XXX Socket options should be more restricted.
socklvl socket
[_unix_base]
merge _sock
sockaf unix
socklvl local
[_unix_client : _unix_base]
ability vfs_connect
[_unix_server : _unix_base]
ability vfs_bind
[_unix : _unix_client _unix_server]
[_fdpass : _unix]
ability sendfd recvfd
[_fdpassdir : _fdpass]
ability passdir
[_su]
ability setcred any_cred
[_tty]
/dev/tty : rma
/etc/termcap : r
ability tty
ioctls tty_basic
[_pty : _tty]
# NOTE: The /dev/pts directory doesn't exist until a PTY is created.
/dev/ : D
ability ttymgmt
ioctls tty_pts
[_cryptodev]
/dev/crypto : rm
ioctls cryptodev
[curtain]
ability curtain
sysctl security.curtain.enabled
# Let nested curtain sandboxes find their settings.
/etc/defaults/curtain.conf : r
/etc/curtain.{conf,d/} : r
~/.curtain.{conf,d/} : r
/usr/local/etc/curtain.{conf,d/} : r [_localbase]
merge _pty [_tty]
[_separate_tmpdir]
${TMPDIR}/ : rwu
[_separate_tmpdir]
${TMPDIR}/ : s [_tmpdir_shellexec]
${TMPDIR}/ : x [_tmpdir_exec]
[_shared_tmpdir]
# Sharing $TMPDIR is risky even with just the "t" permission (which disallows
# many operations like listing files (which should protect files with
# unpredictable names), accessing subdirectories, creating/connecting to local
# domain sockets, creating hard/soft links, etc), but any use of regular files
# with known names will probably be insecure.
${TMPDIR:-/tmp}/ : t
# Block access to some known file names that might allow privilege escalation,
# but this cannot be a complete list...
${TMPDIR:-/tmp}/krb5cc_%u :
[_shared_system_tmpdir, _unsafe_system_tmpdir]
/tmp/ : t [_shared_system_tmpdir]
/tmp/ : rwxu [_unsafe_system_tmpdir]
# Do our best to prevent easy escapes, but this is extremely risky nonetheless!
/tmp/tmux-%#u :
/tmp/krb5cc_%u :
[_pwddb]
/etc/nsswitch.conf : r
/etc/pwd.db : r
/etc/group : r
[_spwddb : _pwddb]
/etc/spwd.db : r
[_ssl]
/etc/ssl/ : r
/etc/ssl/private/ :
/usr/local/etc/ssl/ : r [_localbase]
/usr/local/etc/ssl/private/ : [_localbase]
[_net_base]
merge _sock
ioctls net_basic
[_net_inet : _net_base]
sockaf inet inet6
# XXX Socket options should be more restricted.
socklvl ip ipv6
socklvl tcp udp
sysctl net.inet6.ip6.addrctlpolicy
[_net_route]
sysctl net.routetable
ioctls net_route
[_net_resolv]
/etc/nsswitch.conf : r
/etc/resolv.conf : r
/etc/hosts : r
/etc/services : r
/etc/protocols : r
/var/db/services.db : r
[_network : _net_client _net_server]
[_net_client : _net_misc]
ability net_client
[_net_server : _net_misc]
ability net_server
[_net_misc : _net_base]
merge _net_inet
merge _net_route
merge _net_resolv
merge _ssl
[_syslog : _unix_client]
/var/run/log : v
/var/run/logpriv : v
[_bpf]
ioctls bpf
/dev/bpf : rm
[_audio]
ioctls oss
/dev/sndstat : r
/dev/dsp : rm
/dev/dsp{0,1,2,3} : rm
/dev/mixer : rm
sysctl hw.snd.default_unit