MIME-Version: 1.0
X-Authentication-Warning: mx.elandsys.com: logan set sender to logan@elandsys.com using -f
In-Reply-To: <rt-3.8.6-32481-1390500434-492.35184-5-0@isc.org>
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RP_MATCHES_RCVD autolearn=ham version=3.3.2
Content-Disposition: inline
References: <RT-Ticket-35184@isc.org> <20140111071407.GA5742@mx.elandsys.com> <rt-3.8.6-32481-1390500434-492.35184-5-0@isc.org>
Message-ID: <20140224125110.GA8537@mx.elandsys.com>
Content-Type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by bugs.isc.org (Postfix) with ESMTP id D9F632D20051 for <dhcp-bugs@bugs.isc.org>; Mon, 24 Feb 2014 12:51:26 +0000 (UTC)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by mx.ams1.isc.org (Postfix) with ESMTP id 39B4323839C for <dhcp-bugs@isc.org>; Mon, 24 Feb 2014 12:51:13 +0000 (UTC) (envelope-from logan@elandsys.com)
Received: from mx.elandsys.com (IDENT:logan@localhost [127.0.0.1]) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id s1OCpAg7026349 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <dhcp-bugs@isc.org>; Mon, 24 Feb 2014 04:51:11 -0800 (PST)
Received: (from logan@localhost) by mx.elandsys.com (8.14.5/8.14.5/Submit) id s1OCpAiD021843 for dhcp-bugs@isc.org; Mon, 24 Feb 2014 04:51:10 -0800 (PST)
Delivered-To: dhcp-bugs@bugs.isc.org
Subject: Re: [ISC-Bugs #35184] isc-dhcpd sandboxing patch
User-Agent: Mutt/1.5.21 (2010-09-15)
Return-Path: <logan@elandsys.com>
Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1393246271; bh=+lcV4VTyMgQ703L1Yp6L6Pr2mCl8YyzvmKmmXwT46SI=; h=Date:From:To:Subject:References:In-Reply-To; b=zuY4xxeLb6nzly+dv7+LpNOgX0SofQb5tQUvT5IpQfm70AMnQmA6WHsJe8PCYW8ri hBVhpb+FUKJafTB3O2CN20JTvPjbaIjpP0vNOrJaam+fZ4GkGiluhtr59Zv98JtzQC s3855gMEj1pjcRI21ZBkh63KJwNejS54QXg1npIw=
Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1393246271; i=@elandsys.com; bh=+lcV4VTyMgQ703L1Yp6L6Pr2mCl8YyzvmKmmXwT46SI=; h=Date:From:To:Subject:References:In-Reply-To; b=1anuJsCA1wZVJvFUBYJo7n1IpQ2bqnbIDbPy7MXKxb0XMhrAStBZX1pbP+g/c2xWa 8re+vHXTOzNKJJRmn3J36RH0tB3Ke4oEkwd9BpBwivGnGn7tz3rcjBiO4CaBLVBKCM bHOTBOGJtF8cK+ANPloWKFijD6rpcA8vsbHPzv8U=
X-Original-To: dhcp-bugs@bugs.isc.org
Date: Mon, 24 Feb 2014 04:51:10 -0800
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mx.ams1.isc.org
To: Michael McNally via RT <dhcp-bugs@isc.org>
From: Loganaden Velvindron <logan@elandsys.com>
RT-Message-ID: <rt-3.8.6-58876-1393246287-176.35184-0-0@isc.org>
Content-Length: 1324

On Thu, Jan 23, 2014 at 06:07:14PM +0000, Michael McNally via RT wrote:
> On Sat Jan 11 07:14:25 2014, logan@elandsys.com wrote:
> > Dear Jeremy and ISC team,
> >
> > I'm currently running with isc-dhcpd sandboxed on Production Ubuntu
> > servers.
> >
> > The patch restricts dhcpd to a small number of whitelisted C functions
> > using
> > seccomp. OpenSSH and systemd ship with a similar sandbox on Linux.
> >
> > This prevents exploits that use execve() and such.
> >
> > If there is interest in such a patch, I'm willing to improve it futher
> > based on the feedback I get from ISC.
> 
> Hello.
> 
> Thank you for your patch, and apologies for the slow response --
> our DHCP team has been very busy putting the finishing touches
> on DHCP 4.3.0 and new maintenance versions of 4.2.x and 4.1-ESV.

I saw that DHCP 4.3.0 was released. I would like to know if there is
interest in the sandboxing patch for the next release of ISC-dhcpd.

I've made further improvements to it.

> 
> Your patch looks interesting and will be forwarded to the development
> team for assessment, but probably will not receive scrutiny until after
> the release schedules currently in process are completed.
> 
> Thank you, though, for your submission and for your efforts to help
> us improve ISC DHCP.
> 
> Michael McNally
> ISC Support
>