Following on from Capsicum vs Pledge Part 2 I thought I would post my final thougts on the topic as the development on these sandbox technologies draws to a close in dhcpcd.
But first, let us discuss …
The POSIX Resource Limited sandbox POSIX documents setrlimit(2). Disabling the ability to open new files, sockets, etc, or create new processes is actually pretty powerful.
Thanks to the privsep dhcpcd now has to support both Capsicum and Pledge, this turned out to be pretty easy to implement.
A few days ago I posted about Capsicum vs Pledge in dhcpcd. Well, I finished the Capsicum integration yesterday so I thought I would take some time to revisit my findings.
Capsicum is hard to develop for It’s either on or off. You can limit each FD with capabilites mode off, but I’m not sure what that gains as it’s mainly there to allow the FD to be used in the restricted world so we can treat it as either on or off really.
So one of the big goals of dhcpcd was to implement Privilege Separation. This was achieved in dhcpcd-9 which was important because it was a required step of work to merge dhcpcd into FreeBSD base system. Once done, we can then look at what is required to enable Capsicum support, which is the last required step before dhcpcd can even be considered for importing into FreeBSD base system.
The good news is that basic Capsicum support has been enabled in this commit by ensuring all the file descriptors of the network facing processes are limited in their capability.
So I just got this email and I thought I would share it verbatim:
I just wanted to thank you for such a great piece of software (dhcpcd)…
I often forget the people that make all this cool stuff that make linux. bsd and all the other unixes work… so rather sending a bug report, I’d just though i’d send you a hello! and thanks for giving my machines ip addresses!
DHCP clients by default send a fair chunk of data which can identify you to the local DHCP server. In return they provide you with a stable IP address and configuration parameters.
At a bare minimum, the hardware address of the interface is sent- this is required to work.
So, how to solve this dilema of wanting total anonymity? The answer is to randomise the hardware address. This will happen when the carrier is down OR dhcpcd starts with the interface down.