BSD Now - Episodes Tagged with “Sandbox”

368: Changing OS roles

JT Pennington — Thu, 17 Sep 2020 06:00:00 -0400

Modernizing the OpenBSD Console, OS roles have changed, FreeBSD Cluster with Pacemaker and Corosync, Wine in a 32-bit sandbox on 64-bit NetBSD, Find package which provides a file in OpenBSD, and more.

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

Modernizing the OpenBSD Console

At the beginning were text mode consoles. Traditionally, *BSD and Linux on i386 and amd64 used text mode consoles which by default provided 25 rows of 80 columns, the "80x25 mode". This mode uses a 8x16 font stored in the VGA BIOS (which can be slightly different across vendors).
OpenBSD uses the wscons(4) console framework, inherited from NetBSD

OS roles have changed

Though I do wonder sometimes, with just a slight tweak to history, how things might have been different. In another dimension somewhere, I’m using the latest BeOS-powered PowerPC laptop, and a shiny new Palm smartphone. Both of these represented the pinnacle of UI design in the 1990s, and still in the 2020s have yet to be surpassed. People call me an Apple fanboy, but I’d drop all of it in a second for that gear.

News Roundup

FreeBSD Cluster with Pacemaker and Corosync

I always missed ‘proper’ cluster software for FreeBSD systems. Recently I got to run several Pacemaker/Corosync based clusters on Linux systems. I thought how to make similar high availability solutions on FreeBSD and I was really shocked when I figured out that both Pacemaker and Corosync tools are available in the FreeBSD Ports and packages as net/pacemaker2 and net/corosync2 respectively.

Wine in a 32-bit sandbox on 64-bit NetBSD

"Mainline pkgsrc" can't do strange multi-arch Wine builds yet, so a 32-bit sandbox seems like a reasonable way to use 32-bit Wine on amd64 without resorting to running real Windows in NVMM. We'll see if this was a viable alternative to re-reviewing the multi-arch support in pkgsrc-wip...
We're using sandboxctl, which is a neat tool for quickly shelling into a different NetBSD userspace. Maybe you also don't trust the Windows applications you're running too much - sandboxctl creates a chroot based on a fresh system image, and chroot on NetBSD is fairly bombproof.

Find package which provides a file in OpenBSD

There is one very handy package on OpenBSD named pkglocatedb which provides the command pkglocate.
If you need to find a file or binary/program and you don’t know which package contains it, use pkglocate.

Beastie Bits

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

367: Changing jail datasets

JT Pennington — Thu, 10 Sep 2020 06:00:00 -0400

A 35 Year Old Bug in Patch, Sandbox for FreeBSD, Changing from one dataset to another within a jail, You don’t need tmux or screen for ZFS, HardenedBSD August 2020 Status Report and Call for Donations, and more.

NOTES
This episode of BSDNow is brought to you by Tarsnap

Headlines

A 35 Year Old Bug in Patch

Larry Wall posted patch 1.3 to mod.sources on May 8, 1985. A number of versions followed over the years. It's been a faithful alley for a long, long time. I've never had a problem with patch until I embarked on the 2.11BSD restoration project. In going over the logs very carefully, I've discovered a bug that bites this effort twice. It's quite interesting to use 27 year old patches to find this bug while restoring a 29 year old OS...

Sandbox for FreeBSD

A sandbox is a software which artificially limits access to the specific resources on the target according to the assigned policy. The sandbox installs hooks to the kernel syscalls and other sub-systems in order to interrupt the events triggered by the application. From the application point of view, application working as usual, but when it wants to access, for instance, /dev/kmem the sandbox software decides against the assigned sandbox scheme whether to grant or deny access.
In our case, the sandbox is a kernel module which uses MAC (Mandatory Access Control) Framework developed by the TrustedBSD team. All necessary hooks were introduced to the FreeBSD kernel.

News Roundup

Changing from one dataset to another within a jail

ZFS has a the ability to share itself within a jail. That gives the jail some autonomy, and I like that.
I’ve written briefly about that, specifically for iocage. More recently, I started using a zfs snapshot for caching clearing.
The purpose of this post is to document the existing configuration of the production FreshPorts webserver and outline the plan on how to modify it for more zfs-snapshot-based cache clearing.

You don’t need tmux or screen for ZFS

Back in January I mentioned how to add redundancy to a ZFS pool by adding a mirrored drive. Someone with a private account on Twitter asked me why FreeBSD—and NetBSD!—doesn’t ship with a tmux or screen equivilent in base in order to daemonise the process and let them run in the background.
ZFS already does this for its internal commands.

HardenedBSD August 2020 Status Report and Call for Donations

This last month has largely been a quiet one. I've restarted work on porting five-year-old work from the Code Pointer Integrity (CPI) project into HardenedBSD. Chiefly, I've started forward-porting the libc and rtld bits from the CPI project and now need to look at llvm compiler/linker enhancements. We need to be able to apply SafeStack to shared objects, not just application binaries. This forward-porting work I'm doing is to support that effort.
The infrastructure has settled and is now churning normally and happily. We're still working out bandwidth issues. We hope to have a new fiber line ran by the end of September.
As part of this status report, I'm issuing a formal call for donations. I'm aiming for $4,000.00 USD for a newer self-hosted Gitea server. I hope to purchase the new server before the end of 2020.

Important parts of Unix's history happened before readline support was common

Unix and things that run on Unix have been around for a long time now. In particular, GNU Readline was first released in 1989 (as was Bash), which is long enough ago for it (or lookalikes) to become pretty much pervasive, especially in Unix shells. Today it's easy to think of readline support as something that's always been there. But of course this isn't the case. Unix in its modern form dates from V7 in 1979 and 4.2 BSD in 1983, so a lot of Unix was developed before readline and was to some degree shaped by the lack of it.

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

Mason - mailserver
casey - freebsd on decline
denis - postgres ***
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

39: The Friendly Sandbox

JT Pennington — Wed, 28 May 2014 08:00:00 -0400

This time on the show we'll be talking with Jon Anderson about Capsicum and Casper to securely sandbox processes. After that, our tutorial will show you how to encrypt all your DNS lookups, either on a single system or for your whole network. News, emails and all the usual fun, on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

BSDCan 2014 talks and reports

The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
Karl Lehenbauer's keynote (he's on next week's episode)
Mariusz Zaborski and Pawel Jakub Dawidek, Capsicum and Casper (relevant to today's interview)
Luigi Rizzo, In-kernel OpenvSwitch on FreeBSD
Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
Warner Losh, NAND Flash and FreeBSD
Simon Gerraty, FreeBSD bmake and Meta Mode
Bob Beck, LibreSSL - The First 30 Days
Henning Brauer, OpenBGPD Turns 10 Years Old
Arun Thomas, BSD ARM Kernel Internals
Peter Hessler, Using BGP for Realtime Spam Lists
Pedro Giffuni, Features and Status of FreeBSD's Ext2 Implementation
Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
Daichi Goto, Shellscripts and Commands
Benno Rice, Keeping Current
Sean Bruno, MIPS Router Hacking
John-Mark Gurney, Optimizing GELI Performance
Patrick Kelsey, Userspace Networking with libuinet
Massimiliano Stucchi, IPv6 Transitioning Mechanisms
Roger Pau Monné, Taking the Red Pill
Shawn Webb, Introducing ASLR in FreeBSD
There's also a trip report from Peter Hessler and one from Julio Merino
The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that's a recurring trend) ***

Defend your network and privacy with a VPN and OpenBSD

After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems - this could also be used with Tor (but it would be very slow)
It also includes a few general privacy tips, recommended browser extensions, etc
The intro to the article is especially great, so give the whole thing a read
He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you're watching! ***

You should try FreeBSD

In this blog post, the author talks a bit about how some Linux people aren't familiar with the BSDs and how we can take steps to change that
He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
Possibly the most useful part is how to address the question "my server already works, why bother switching?"
"Stackoverflow’s answers assume I have apt-get installed"
It includes mention of the great documentation, stability, ports, improved security and much more
A takeaway quote for would-be Linux switchers: "I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before" ***

OpenBSD and the little Mauritian contributor

This is a story about a guy from Mauritius named Logan, one of OpenBSD's newest developers
Back in 2010, he started sending in patched for OpenBSD's "mg" editor, among other small things, and eventually added file transfer resume support for SFTP
The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back ***

Interview - Jon Anderson - jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read ***

LibreSSL porting update

Since the last LibreSSL post we covered, a couple unofficial "portable" versions have died off
Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly - stop doing that!
This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good ***

BSDMag May 2014 issue is out

The usual monthly release from BSDMag, covering a variety of subjects
This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
It's a free PDF, go grab it ***

BSDTalk episode 241

A new episode of BSDTalk is out, this time with Bob Beck
He talks about the OpenBSD foundation's recent activities, his own work in the project, some stories about the hardware in Theo's basement and a lot more
The interview itself isn't about LibreSSL at all, but they do touch on it a bit too
Really interesting stuff, covers a lot of different topics in a short amount of time ***

Feedback/Questions

We got a number of replies about last week's VPN question, so thanks to everyone who sent in an email about it - the vpnc package seems to be what we were looking for
Tim writes in
AJ writes in
Peter writes in
Thomas writes in
Martin writes in ***