[jchw]

FreeBSD jails are known to not be silver bullets. I've heard many instances of breaking out of a FreeBSD jail.

Generally, treating any OS-level technology as a silver bullet is a huge mistake. Any serious developer would make multiple levels of security that _should_ be sound.

[GalacticDomin8r]

That's quite true. Any serious FreeBSD will readily acknowledge such(eg https://www.freebsd.org/doc/handbook/jails.html), but the project does try to default to sensible security defaults for it's containers eg no raw sockets.

While not applicable to FreeBSD alone, this polemic thread:

https://marc.info/?l=openbsd-misc&m=119318909016582

is a pretty accurate description of container level security and not much has changed. Stuff built on a foundation is always subject to the foundation's qualities.

[X86BSD]

This is the most blatant and clearly incorrect... FUD?..lie?... I have ever heard to date about jails.

Jails are secure. As are SmartOS zones. Whoever you heard that there are “many instances of breaking out of a jail” from is full of sh47. And you would be wise to never listen to them ever again. No really, EVER.

And no, breaking the ps4 was not a jail exploit. The attacker already had elevated privileges. So you would be sunk no matter what.

[jchw]

Sheesh, no need to get so emotional about it. I said instances of breaking out, not instances of jail exploits. I don't know of any jail-specific exploits.

But when we say "elevated privileges" are we talking root inside of a jail? Because if that breaks jails, then a large class of Docker exploits also wouldn't classify as 'exploits' under that criteria. One of the biggest problems with Linux namespaces is the band-aid put over root, via capabilities.

As far as I know, though, the PS4 exploit was more Sony's fault. IIRC, they broke out of the jail by exploiting custom syscalls not in stock FreeBSD. Bugs in syscalls in FreeBSD aren't unheard of though, even if less commonly found than Linux.

My entire point is that good security implies not treating any solution as a panacea, lest you find yourself in a digital Titanic scenario. Multiple layers of solid security beats one layer of solid security.

[chatmasta]

> Bugs in syscalls in FreeBSD aren't unheard of though, even if less commonly found than Linux.

Dangerous assumption.

More likely, there are fewer people looking for vulnerabilities in BSD than in Linux.

[jchw]

Well, I did say

>less commonly found

rather than less common. Impossible to know with 100% certainty what's literally less common.

If I had to guess, I'd guess FreeBSD had less bugs in general, just because the surface is generally smaller, and the system is more homogeneous.

[benmmurphy]

i believe there was an exploit by another team which used badiret. which is pretty hilarious because badiret has been patched ages ago but FreeBSD never told anyone they fixed it.

[GalacticDomin8r]

You mean like this?

https://www.freebsd.org/security/advisories/FreeBSD-SA-15:21...

[benmmurphy]

yeah it was fixed in 2014 and there wasn't an advisory until 2015. https://reviews.freebsd.org/rS275833

hn discussion: https://news.ycombinator.com/item?id=10093862

[benmmurphy]

yeah there are probably not many 'jail' exploits specifically targeted for getting out of jail/exploiting jail primitives. but people just use normal kernel exploits to get out of jail/zones. i would say jails/zones are about as secure as linux containers. ie: about as secure as the linux kernel is.

[X86BSD]

And you would be wrong.

[helper]

The person you are replying to has discovered multiple exploitable bugs in Illumos via DTrace from inside zones:

Here are the first two that pop up if you google his name. http://www.zerodayinitiative.com/advisories/ZDI-16-168/ http://www.zerodayinitiative.com/advisories/ZDI-16-274/

He gave a talk at DTrace conf 2016 about all the security vulnerabilities he personally found in DTrace in SmartOS. Here are the slides: http://slides.com/benmurphy/deck