resolved: access control feature

[topimiettinen]

Implement simple access control for systemd-resolved. This can be used to
either allow-list or deny-list domains which the service can use. The feature
is limited to bus clients (such as nss-resolve).

Example /etc/resolved-access.d/basic.conf:

# Unit                          MAC Context                     Domain Pattern          Verdict
systemd-timesyncd.service       system_u:system_r:ntpd_t:s0     *.debian.pool.ntp.org   allow
systemd-timesyncd.service       system_u:system_r:ntpd_t:s0     *                       deny
session-*.scope                 user_u:user_r:mozilla_t:s0      *                       allow
*                               *                               *                       deny

[topimiettinen]

Centos CIs fails TEST-50-DISSECT and TEST-50-DISSECT_coredumpctl_collect. On bionic-arm64, test-path fails and bionic-i386 test "upstream" fails. Doesn't seem related to systemd-resolved to me.

[poettering]

I am a bit puzzled about this? This controls which client can resolve a specific host? i.e. it doesn't control which IP addresses it can connect to, hence it can easily contact any DNS server on the internet directly (e.g. 8.8.8.8) and get the desired resolution data ynway?

[topimiettinen]

Direct access with known IP addresses will be blocked by the firewall mechanism, which is part 2 of #17053. Then the application can't access anything before they make a DNS request first. If the request is allowed by resolved and the domain is successfully resolved, the resolved IP address of the domain name will be added to firewall (perhaps just add to service specific IPSet for simplicity). This means that knowing the IP address does not help.

[topimiettinen]

I've played with a version which can filter also using UID, name of the command and possibly user unit of the calling task to see which fields could be useful. For some reason (maybe my overly restricted configuration) dbus-daemon can deliver only a very few fields out of the possibilities listed in sd-bus.h by using the message creds. More fields can be found via PID, but probably this is not race-free.

I'm actually agreeing with @keszybz's suggestion to use only unit. The more there are fields, the more there are means to differentiate the calling process better and thus provide better DNS request filtering. But actually the different processes are still part of one service unit and thus there may be only a weak protection boundary or none. Then the configuration in service unit file could be simply:

DNSAllowDomains=*.debian.pool.ntp.org

Also, the firewall can only be installed for the entire service. For that I'm sort of waiting for the libnftables integration in #17026. The firewall also needs a mechanism to install a new network namespace like PrivateNetwork=yes, but including all network devices. Perhaps that could be made into a new feature (e.g. PrivateNetwork=lo eth0 to list allowed interfaces or PrivateNetwork=~eth0 to exclude just one IF)?

[topimiettinen]

In this version, the config file is replaced with a simple unit setting which is read by resolved:

[Service]
DNSAllowedDomains=*.ntp.org

Perhaps DNSDeniedDomains= could make sense for deny-listing mode.

However, when the filter rejects a request via Varlink, it may lead to segfault. Perhaps a bug in varlink implementation?

[topimiettinen]

I checked if #18135 would help, but it didn't. Backtrace from the segfault:

Program received signal SIGSEGV, Segmentation fault.
0x00001d816d7982df in dns_query_candidate_stop (c=0x9) at ../src/resolve/resolved-dns-query.c:45
45              while ((t = set_steal_first(c->transactions))) {
(gdb) bt
#0  0x00001d816d7982df in dns_query_candidate_stop (c=0x9) at ../src/resolve/resolved-dns-query.c:45
#1  0x00001d816d798df7 in dns_query_stop (q=0x663d40c903d0) at ../src/resolve/resolved-dns-query.c:297
#2  0x00001d816d799c93 in dns_query_complete (q=0x663d40c903d0, state=DNS_TRANSACTION_ABORTED) at ../src/resolve/resolved-dns-query.c:494
#3  0x00001d816d7da47a in vl_on_disconnect (s=0x663d40c97f80, link=0x663d40cfa5d0, userdata=0x663d40c903d0) at ../src/resolve/resolved-varlink.c:93
#4  0x00002b013e3ce041 in varlink_detach_server (v=0x663d40cfa5d0) at ../src/shared/varlink.c:1195
#5  0x00002b013e3ce0f1 in varlink_close (v=0x663d40cfa5d0) at ../src/shared/varlink.c:1212
#6  0x00002b013e3cc0c5 in varlink_dispatch_disconnect (v=0x663d40cfa5d0) at ../src/shared/varlink.c:664
#7  0x00002b013e3cd1a7 in varlink_process (v=0x663d40cfa5d0) at ../src/shared/varlink.c:969
#8  0x00002b013e3d25e7 in defer_callback (s=0x663d40cb0360, userdata=0x663d40cfa5d0) at ../src/shared/varlink.c:1862
#9  0x00002b013e4fc126 in source_dispatch (s=0x663d40cb0360) at ../src/libsystemd/sd-event/sd-event.c:3530
#10 0x00002b013e4fdad8 in sd_event_dispatch (e=0x663d40c93bf0) at ../src/libsystemd/sd-event/sd-event.c:3950
#11 0x00002b013e4fdf96 in sd_event_run (e=0x663d40c93bf0, timeout=18446744073709551615) at ../src/libsystemd/sd-event/sd-event.c:4011
#12 0x00002b013e4fe163 in sd_event_loop (e=0x663d40c93bf0) at ../src/libsystemd/sd-event/sd-event.c:4032
#13 0x00001d816d7dd059 in run (argc=1, argv=0x179c4acfc8e8) at ../src/resolve/resolved.c:92
#14 0x00001d816d7dd148 in main (argc=1, argv=0x179c4acfc8e8) at ../src/resolve/resolved.c:99

Another:

Program received signal SIGSEGV, Segmentation fault.
0x000036a8d98052df in dns_query_candidate_stop (c=0x9) at ../src/resolve/resolved-dns-query.c:45
45              while ((t = set_steal_first(c->transactions))) {
(gdb) up
#1  0x000036a8d9805df7 in dns_query_stop (q=0x372b4bfdf160) at ../src/resolve/resolved-dns-query.c:297
297                     dns_query_candidate_stop(c);
(gdb) p c
$11 = (DnsQueryCandidate *) 0x9
(gdb) up
#2  0x000036a8d9806c93 in dns_query_complete (q=0x372b4bfdf160, state=DNS_TRANSACTION_ABORTED) at ../src/resolve/resolved-dns-query.c:494
494             dns_query_stop(q);
(gdb) p *q
$12 = {manager = 0x372b4bfe2980, auxiliary_for = 0x0, auxiliary_queries = 0x100000001, n_auxiliary_queries = 1, auxiliary_result = 0, question_idna = 0x0, question_utf8 = 0x372b4bfe0fa0, flags = 60659098056496, ifindex = 1274951456, clamp_ttl = 43, 
  state = DNS_TRANSACTION_ABORTED, n_cname_redirects = 0, candidates = 0x9, timeout_event_source = 0x0, answer = 0x372b4bfdfa08, answer_rcode = 0, answer_dnssec_result = DNSSEC_VALIDATED, answer_authenticated = false, answer_protocol = DNS_PROTOCOL_DNS, 
  answer_family = 1275088176, answer_search_domain = 0x4, answer_errno = 0, previous_redirect_unauthenticated = false, bus_request = 0x372b4bfe0ca0, varlink_request = 0x372b4bfe0e20, request_family = 4, request_address_valid = false, request_address = {in = {
      s_addr = 1274940768}, in6 = {__in6_u = {__u6_addr8 = "`\r\376K+7\000\000\000\000\000\000\000\000\000", __u6_addr16 = {3424, 19454, 14123, 0, 0, 0, 0, 0}, __u6_addr32 = {1274940768, 14123, 0, 0}}}, bytes = "`\r\376K+7\000\000\000\000\000\000\000\000\000"}, 
  block_all_complete = 0, request_address_string = 0x0, request_dns_packet = 0x0, request_dns_stream = 0x0, reply_dns_packet = 0x0, stub_listener_extra = 0x0, complete = 0x0, block_ready = 0, bus_track = 0x0, unit = 0x0, queries_next = 0x0, queries_prev = 0x0, 
  auxiliary_queries_next = 0x0, auxiliary_queries_prev = 0x0}

[topimiettinen]

It seems that field userdata is not initialized in struct Varlink, so it can contain garbage bytes and then accessing q->candidates where q is link->userdata causes the segfault. Adding a call to varlink_set_userdata(link, NULL) in the beginning vl_method_resolve_hostname() fixes the problem.

But would that be the proper solution, or should userdata be set to NULL in varlink_new()? It could be argued that responsibility for managing userdata should fall entirely to the users, but adding calls to varlink_set_userdata(link, NULL) everywhere would be more error prone. Zero initialization for the entire structure was removed with a48481d by @keszybz?

[topimiettinen]

In this version I addressed @bluca's comments, handled the Varlink problem and added DNSDeniedDomains=. It could probably be added to all systemd services.

[topimiettinen]

Made #18171 to fix the userdata field problem at Varlink side.

[bluca]

to refresh manpages run:

meson compile -C build man/update-dbus-docs

[bluca]

@topimiettinen is this still relevant?

[topimiettinen]

@bluca Yes, but I no longer plan to integrate firewalls into this directly. I've used the patch for more than year now.

[bluca]

@bluca Yes, but I no longer plan to integrate firewalls into this directly. I've used the patch for more than year now.

what is it used for? can you update the use case, and rebase?

[topimiettinen]

@bluca OK, force pushed an updated version

[topimiettinen]

@bluca All green!

[bluca]

Can you add some testing in TEST-75-RESOLVED?

[topimiettinen]

@bluca I guess you mean testsuite-75.sh. OK, I'll try.

[topimiettinen]

It's interesting that the tests in TEST-75-RESOLVED are passing on CentOS CI (CentOS Stream 8) as expected (TEST-02-UNITTESTS and TEST-60-MOUNT-RATELIMIT fail, unrelated), but on CentOS CI (Arch Linux + sanitizers) and CentOS CI (Arch Linux) they don't. The first test fails:

[ 2512.529887] testsuite-75.sh[534]: + systemd-run --property 'DNSDeniedDomains=*' --wait --pipe --property IPAddressDeny=any --property InaccessiblePaths=-/etc/resolv.conf getent -s resolve hosts untrusted.test
[ 2512.557278] testsuite-75.sh[535]: Running as unit: run-u21.service
[ 2512.598303] testsuite-75.sh[535]: 10.0.0.121      untrusted.test
[ 2512.606628] testsuite-75.sh[535]: Finished with result: success
[ 2512.606803] testsuite-75.sh[535]: Main processes terminated with: code=exited/status=0

getent command should not be able to resolve the name but it is. I wonder if there could be differences between distros glibc resolvers, so that on Arch the resolver would always try DNS (or use DBus) instead of honoring NSS configuration. @mrc0mmand would you happen to have a clue by any chance?

[mrc0mmand]

It's interesting that the tests in TEST-75-RESOLVED are passing on CentOS CI (CentOS Stream 8) as expected (TEST-02-UNITTESTS and TEST-60-MOUNT-RATELIMIT fail, unrelated), but on CentOS CI (Arch Linux + sanitizers) and CentOS CI (Arch Linux) they don't. The first test fails:

[ 2512.529887] testsuite-75.sh[534]: + systemd-run --property 'DNSDeniedDomains=*' --wait --pipe --property IPAddressDeny=any --property InaccessiblePaths=-/etc/resolv.conf getent -s resolve hosts untrusted.test
[ 2512.557278] testsuite-75.sh[535]: Running as unit: run-u21.service
[ 2512.598303] testsuite-75.sh[535]: 10.0.0.121      untrusted.test
[ 2512.606628] testsuite-75.sh[535]: Finished with result: success
[ 2512.606803] testsuite-75.sh[535]: Main processes terminated with: code=exited/status=0

getent command should not be able to resolve the name but it is. I wonder if there could be differences between distros glibc resolvers, so that on Arch the resolver would always try DNS (or use DBus) instead of honoring NSS configuration. @mrc0mmand would you happen to have a clue by any chance?

Interesting, I just tried it on my local F36 machine, and got the same result as on Arch:

testsuite-75.sh[377]: untrusted.test: 10.0.0.121                                  -- link: dns0
testsuite-75.sh[377]: -- Information acquired via protocol DNS in 527us.
testsuite-75.sh[377]: -- Data is authenticated: no; Data was acquired via local or encrypted transport: no
testsuite-75.sh[377]: -- Data from: cache
testsuite-75.sh[34]: + grep -qF 'untrusted.test: 10.0.0.121' /tmp/tmp.7HPjzh7VSb
testsuite-75.sh[34]: + grep -qF 'authenticated: no' /tmp/tmp.7HPjzh7VSb
testsuite-75.sh[34]: + mv /etc/nsswitch.conf /etc/nsswitch.conf.disabled
testsuite-75.sh[34]: + echo hosts: resolve
testsuite-75.sh[34]: + args='--wait --pipe --property IPAddressDeny=any --property InaccessiblePaths=-/etc/resolv.conf getent -s resolve hosts untrusted.test'
testsuite-75.sh[34]: + run_expect_fail systemd-run --property 'DNSDeniedDomains=*' --wait --pipe --property IPAddressDeny=any --property InaccessiblePaths=-/etc/resolv.conf getent -s resolve hosts untrusted.test
testsuite-75.sh[381]: + systemd-run --property 'DNSDeniedDomains=*' --wait --pipe --property IPAddressDeny=any --property InaccessiblePaths=-/etc/resolv.conf getent -s resolve hosts untrusted.test
testsuite-75.sh[382]: + tee /tmp/tmp.7HPjzh7VSb
testsuite-75.sh[382]: Running as unit: run-u22.service
testsuite-75.sh[382]: 10.0.0.121      untrusted.test
testsuite-75.sh[382]: Finished with result: success
testsuite-75.sh[382]: Main processes terminated with: code=exited/status=0
testsuite-75.sh[382]: Service runtime: 6ms
testsuite-75.sh[382]: CPU time consumed: 5ms
testsuite-75.sh[34]: + at_exit

So maybe it's some older glibc-related issue?

[mrc0mmand]

Ah, it looks like it's a race:

-bash-5.1# systemd-run --property 'DNSDeniedDomains=*' --wait --pipe --property IPAddressDeny=any --property InaccessiblePaths=-/etc/resolv.conf getent -s resolve hosts untrusted.test
Running as unit: run-u27.service
10.0.0.121      untrusted.test
Finished with result: success
Main processes terminated with: code=exited/status=0
Service runtime: 19ms
CPU time consumed: 19ms
-bash-5.1# systemd-run --property 'DNSDeniedDomains=*' --wait --pipe --property IPAddressDeny=any --property InaccessiblePaths=-/etc/resolv.conf getent -s resolve hosts untrusted.test
Running as unit: run-u28.service
10.0.0.121      untrusted.test
Finished with result: success
Main processes terminated with: code=exited/status=0
Service runtime: 7ms
CPU time consumed: 7ms
-bash-5.1# systemd-run --property 'DNSDeniedDomains=*' --wait --pipe --property IPAddressDeny=any --property InaccessiblePaths=-/etc/resolv.conf getent -s resolve hosts untrusted.test
Running as unit: run-u29.service
10.0.0.121      untrusted.test
Finished with result: success
Main processes terminated with: code=exited/status=0
Service runtime: 7ms
CPU time consumed: 7ms
-bash-5.1# systemd-run --property 'DNSDeniedDomains=*' --wait --pipe --property IPAddressDeny=any --property InaccessiblePaths=-/etc/resolv.conf getent -s resolve hosts untrusted.test
Running as unit: run-u30.service
Finished with result: exit-code
Main processes terminated with: code=exited/status=2
Service runtime: 37ms
CPU time consumed: 21ms
-bash-5.1# systemd-run --property 'DNSDeniedDomains=*' --wait --pipe --property IPAddressDeny=any --property InaccessiblePaths=-/etc/resolv.conf getent -s resolve hosts untrusted.test
Running as unit: run-u31.service
Finished with result: exit-code
Main processes terminated with: code=exited/status=2
Service runtime: 29ms
CPU time consumed: 27ms

[mrc0mmand]

And it appears to be a cache-related stuff:

## pass
[3583232.783582] systemd-resolved[74]: Couldn't query creds from sender's PID
[3583232.783670] systemd-resolved[74]: idn2_lookup_u8: untrusted.test → untrusted.test
[3583232.783739] systemd-resolved[74]: Looking up RR for untrusted.test IN AAAA.
[3583232.783801] systemd-resolved[74]: NXDOMAIN cache hit for untrusted.test IN AAAA
[3583232.783867] systemd-resolved[74]: Regular transaction 30070 for <untrusted.test IN AAAA> on scope dns on dns0/* now complete with <rcode-failure> from cache (authenticated; non-confidential).
[3583232.783933] systemd-resolved[74]: Freeing transaction 30070.
...
[3583232.784867] systemd-resolved[74]: Couldn't query creds from sender's PID
[3583232.784937] systemd-resolved[74]: idn2_lookup_u8: untrusted.test → untrusted.test
[3583232.785000] systemd-resolved[74]: Looking up RR for untrusted.test IN A.
[3583232.785063] systemd[1]: Sent message type=method_return sender=n/a destination=:1.29 path=n/a interface=n/a member=n/a cookie=843 reply_cookie=9 signature=a{sv} error-name=n/a error-message=n/a
[3583232.785127] systemd-resolved[74]: Positive cache hit for untrusted.test IN A
[3583232.785190] systemd-resolved[74]: Regular transaction 50229 for <untrusted.test IN A> on scope dns on dns0/* now complete with <success> from cache (unsigned; non-confidential).
[3583232.785296] systemd-resolved[74]: varlink-23: Sending message: {"parameters":{"addresses":[{"ifindex":2,"family":2,"address":[10,0,0,121],"type":"A"}],"name":"untrusted.test"},"continues":true}
[3583232.785362] systemd-resolved[74]: Freeing transaction 50229.
[3583232.785427] systemd-resolved[74]: Reply IP 10.0.0.121 to unit (unset)
...

## pass
[3583232.783582] systemd-resolved[74]: Couldn't query creds from sender's PID
[3583232.783670] systemd-resolved[74]: idn2_lookup_u8: untrusted.test → untrusted.test
[3583232.783739] systemd-resolved[74]: Looking up RR for untrusted.test IN AAAA.
[3583232.783801] systemd-resolved[74]: NXDOMAIN cache hit for untrusted.test IN AAAA
[3583232.783867] systemd-resolved[74]: Regular transaction 30070 for <untrusted.test IN AAAA> on scope dns on dns0/* now complete with <rcode-failure> from cache (authenticated; non-confidential).
[3583232.783933] systemd-resolved[74]: Freeing transaction 30070.
...
[3583234.321073] systemd-resolved[74]: Got varlink query packet for untrusted.test
[3583234.321134] systemd-resolved[74]: Couldn't query creds from sender's PID
[3583234.321202] systemd-resolved[74]: idn2_lookup_u8: untrusted.test → untrusted.test
[3583234.321266] systemd-resolved[74]: Looking up RR for untrusted.test IN A.
[3583234.321329] systemd-resolved[74]: Positive cache hit for untrusted.test IN A
[3583234.321392] systemd-resolved[74]: Regular transaction 31745 for <untrusted.test IN A> on scope dns on dns0/* now complete with <success> from cache (unsigned; non-confidential).
[3583234.321457] systemd-resolved[74]: varlink-23: Sending message: {"parameters":{"addresses":[{"ifindex":2,"family":2,"address":[10,0,0,121],"type":"A"}],"name":"untrusted.test"},"continues":true}
[3583234.321525] systemd-resolved[74]: Freeing transaction 31745.
[3583234.321590] systemd-resolved[74]: Reply IP 10.0.0.121 to unit (unset)
...

[3583234.323245] systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=UnitRemoved cookie=881 reply_cookie=0 signatur>
[3583234.695291] systemd-resolved[74]: Removing scope on link dns0, protocol dns, family *
[3583234.696835] systemd-resolved[74]: New scope on link dns0, protocol dns, family *
...

## fail
[3583235.783699] systemd-resolved[74]: Couldn't query creds from sender's PID
[3583235.783837] systemd-resolved[74]: idn2_lookup_u8: untrusted.test → untrusted.test
[3583235.783969] systemd-resolved[74]: Looking up RR for untrusted.test IN AAAA.
[3583235.784101] systemd-resolved[74]: Cache miss for untrusted.test IN AAAA
[3583235.784237] systemd-resolved[74]: Firing regular transaction 37302 for <untrusted.test IN AAAA> scope dns on dns0/* (validate=yes).
[3583235.784394] systemd-resolved[74]: Using feature level TLS+EDNS0+D0 for transaction 37302.
[3583235.784537] systemd-resolved[74]: Using DNS server 10.0.0.1 for transaction 37302.
[3583235.784689] systemd-resolved[74]: Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.
[3583235.784827] systemd-resolved[74]: Using feature level TLS+EDNS0+D0 for transaction 37302.
[3583235.784959] systemd-resolved[74]: Announcing packet size 1472 in egress EDNS(0) packet.
[3583235.785091] systemd-resolved[74]: varlink-25: Changing state processing-method → pending-method
[3583235.785240] systemd-resolved[74]: Connection failure for DNS TCP stream: Connection refused
[3583235.785377] systemd-resolved[74]: Retrying transaction 37302, after switching servers.
[3583235.785511] systemd-resolved[74]: Cache miss for untrusted.test IN AAAA
[3583235.785658] systemd-resolved[74]: Firing regular transaction 37302 for <untrusted.test IN AAAA> scope dns on dns0/* (validate=yes).
[3583235.785797] systemd-resolved[74]: Server doesn't support DNS-over-TLS, downgrading protocol...
[3583235.785929] systemd-resolved[74]: Using degraded feature set UDP+EDNS0+DO instead of TLS+EDNS0+D0 for DNS server 10.0.0.1.
[3583235.786072] systemd-resolved[74]: Using feature level UDP+EDNS0+DO for transaction 37302.
[3583235.786275] systemd-resolved[74]: Announcing packet size 1472 in egress EDNS(0) packet.
[3583235.786462] systemd-resolved[74]: Emitting UDP, link MTU is 1500, socket MTU is 65535, minimal MTU is 40
[3583235.786623] systemd-resolved[74]: Sending query packet with id 37302 of size 66.
[3583235.786778] systemd-resolved[74]: Received dns UDP packet of size 359, ifindex=2, ttl=0, fragsize=0, sender=10.0.0.1, destination=
...
[3583235.949669] systemd-resolved[74]: Added positive authenticated non-confidential cache entry for 2ahq22s35cojh07503k1ifpdpdcospd0.test IN NSEC3 7200s on dns0/INET/10.0.0.1
[3583235.949713] systemd-resolved[74]: Added positive authenticated non-confidential cache entry for test IN SOA 7200s on dns0/INET/10.0.0.1
[3583235.949754] systemd-resolved[74]: Added NXDOMAIN cache entry for untrusted.test IN ANY 7200s
[3583235.949798] systemd-resolved[74]: Regular transaction 37649 for <untrusted.test IN DS> on scope dns on dns0/* now complete with <rcode-failure> from network (authenticated; non-confidential).
...
[3583235.952151] systemd-resolved[74]: Couldn't query creds from sender's PID
[3583235.952192] systemd-resolved[74]: idn2_lookup_u8: untrusted.test → untrusted.test
[3583235.952238] systemd-resolved[74]: Looking up RR for untrusted.test IN A.
[3583235.952281] systemd-resolved[74]: NXDOMAIN cache hit for untrusted.test IN A
[3583235.952322] systemd-resolved[74]: Regular transaction 54166 for <untrusted.test IN A> on scope dns on dns0/* now complete with <rcode-failure> from cache (authenticated; non-confidential).
[3583235.952364] systemd-resolved[74]: Freeing transaction 54166.

[topimiettinen]

@mrc0mmand Awesome, thanks!