Re: [Tails-dev] Reducing attack surface of kernel and tighte…

Delete this message

Reply to this message
Autor: Oliver-Tobias Ripka
Data:  
Dla: The Tails public development discussion list
Temat: Re: [Tails-dev] Reducing attack surface of kernel and tightening firewall/sysctls
Hi,

I retried the test but deleted the lease files from the directory you
mentioned before reconnecting. I now see a complete DHCP DORA
(Discovery, Offer, Request, Ack) on the wire. So nothing gets blocked. I
would also expect that just doing a renewal (request, ack) should be
blocked as the Ack is a response to the request.

Doing some research I found that one possible explaination is that the
dhclient uses raw sockets which get the packet even if netfiler rules
are in place [1], [2].

This seems to be true: lsof -f | grep dhclient:

dhclient  7946 root    5u     pack 34603 0t0 ALL type=SOCK_PACKET
dhclient  7946 root    6u     IPv4 34605 0t0 UDP *:bootpc
dhclient  7946 root   20u     IPv4 34571 0t0 UDP *:45935
dhclient  7946 root   21u     IPv6 34577 0t0 UDP *:44461


One would need to dig deeper into the dhclient code in order to check if
this RAW socket is really necessary and if there are e.g. compile time
options that would allow to just use UDP sockets (note also that
dhclient does both it opens udp:68 and a raw socket) that would be
filterable by the firewall.

In general it might be better for security to have a derooted DHCP
client that does not need CAP_NET_RAW and also has less attack surface
then dhclient (C code + shell scripts). Maybe use a small replacement
client that does only support bare minimum needed to get an IP4/6 and
not the whole spec (instead of trying to fix dhclient)? Anyways, some
efforts for dhclient are made here [3].

Regards,

Olli

[1] https://lists.isc.org/pipermail/dhcp-users/2012-August/015863.html
[2] http://bit.ly/11YRHcE
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=308833

According to Michael Rogers on Thu, Dec 04 2014:

> On 04/12/14 01:06, Oliver-Tobias Ripka wrote:
> > - DHCP still works. Which is strange, isn't? I configured the
> > firewall to drop everything so DHCP should not work.
> >
> > To debug a little I inserted some code into
> > /etc/NetworkManager/dispatcher.d/00-firewall.sh to see what the
> > state if ifconfig and iptables is right before bringing up the
> > firewall:
> >
> > Result: The IP adress is already is configured (DHCP was renewed)
> > and the iptables configuration is still set to DROP. So I am not
> > sure how the DHCP packets could get through. Maybe I have a flaw in
> > my debugging procedure or this is another issue.
>
> Is it possible that the DHCP client still has a valid lease that was
> granted before the firewall rules were changed? Perhaps deleting any
> leases in /var/lib/dhcp and bringing the interface up again will
> change the result?
>
> Cheers,
> Michael
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to Tails-dev-unsubscribe@???.


-- 
Jabber contact   otr@???
PGP public key   https://bockcay.de/otr.asc
Off the record   32EA EEA8 955A 9FD7 6F61 94EB 4D7C 2A0E 9A2A 4D58
PGP fingerprint  6D63 8AA9 8B88 1266 DE0D 49EC 2490 01D2 9ADB 137B
Textsecure       05CB 0C48 C87E FC47 2B13 7AD4 1D6E 0CE0 BB64 069A
fingerprint      8BD7 227B 047F E38D 87D7 DE66