NetBSD Problem Report #58541

From www@netbsd.org  Fri Aug  2 19:12:18 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id F0FDB1A923C
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  2 Aug 2024 19:12:17 +0000 (UTC)
Message-Id: <20240802191216.B5F6B1A923E@mollari.NetBSD.org>
Date: Fri,  2 Aug 2024 19:12:16 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: npf(4) should be able to filter by socket uid/gid
X-Send-Pr-Version: www-1.0

>Number:         58541
>Category:       kern
>Synopsis:       npf(4) should be able to filter by socket uid/gid
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 02 19:15:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, ...
>Organization:
The NetPF Fuidation
>Environment:
>Description:
Utility computing instances like Amazon EC2, Google Compute Engine, Oracle Compute Instances, OpenStack Compute, &c., expose secrets like random seeds and API keys to the guest typically via various paths at http://169.254.169.254.

The random seed is often the only source of entropy for /dev/urandom.  The API keys are typically used for things like uploading objects to storage buckets or other utility services.  For example, the guest might use its secret API key to authenticate publishing its newly generated ssh host key, which in turn is only unpredictable to parties that lack knowledge of the random seed.

In order to implement a privilege boundary around the metadata service, unprivileged processes must be forbidden to exchange packets with 169.254.169.254 (at least on port 80).

npf(4) should support filtering packets in TCP/UDP by the uid/gid of the associated socket.
>How-To-Repeat:
try to enforce a privilege boundary on a utility computing instance
>Fix:
Yes, please!

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.