Neat talk from CCC. media.ccc.de/v/39c3-escaping-contai…-security-analysis-of-freebsd-jails

I've had pretty good luck running about everything in hyperv.

i'm testing vm-bhyve to run some bhyve vms, i can't get it to boot anything uefi (openbsd, freebsd, arch, alpine) and yes, I have bhyve-firmware installed

deimosBSD: what about edk2-bhyve ?

and what's the log say / what happens

yeah, i have that

the vm-bhyve.log claims the vm starts fine

deimosBSD: How are you pointing bhyve to the uefi firmware?

yet console is blank as is vnc

vm-bhyve finds it correctly

you should see some efi shiz from watching `vm console`

TommyC: doesn't it just magically find it from /EFI ? i haven't had to do anything like that

just loader="uefi"

Last time I played with bhyve, it did find the bhyve-firmware stuff automagically but it didn't for edk2's firmware.

Dec 31 23:36:52: [bhyve options: -c 1 -m 1G -Hwl bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd -w -U 26d828ee-a834-11ee-bbca-782bcb32b758 -u]

and that file is there, yeah?

here's what I see, all throw away vm, paste.zw.is/upload/QdJlva

and yes, the /usr/local/share/uefi-firmware/ points to ../edk2-bhyve/ files correct

i remember i had to do some weird set tty on the openbsd installer

but i don't know if that was fixed

the tty is sorta normal for serial coms, but this is supposed to provide full uefi graphics, right?

fwiw, this is the config from the vm create command: paste.zw.is/upload/dJzOvd

which is just based on the template for openbsd.conf

if i remove the graphics lines, i get nothing from console

where should we look for patch level changelog? i wanna see if 14.3-p5 needs to be upgraded to p6 or p7

kerneldove_: i think here, freebsd.org/releases/14.3R/errata/#errata

also look up a bit for the security advisories

ok ty

rtj rust would have prevented most of those jail escapes

ah ya, rust mentioned in later slide

ivy ^

How can you oxidase the code?

well like the slide in that talk says, start with adding the infra for rust support, then start writing new code in rust, then over time rewrite old code in rust

Yes, I was just trying to be silly. I guess you could put the code on spinning drives and they'd rust. I'll see myself out.

will you be here all week? :)

perhaps all year

now my test vm is both running and not running

back to reading the source for vm-bhyve

hodapp: I have never really got the container hype... I understand it can help with security, but with my systems just being for friends and family, I've never really felt the need

Sometimes a single podman/docker command to deploy something that would otherwise be complicated can be nice. But most of the times things are straight forward enough I'd rather just do them on the Host OS itself

yeah kind of weird. linux tends to set cores .. but fbsd is all the cores when it comes to throttling with powerd

rust is an unstable language without a formal standard

so it seems like powerd adjusts all cores at once instead of one at a time

SponiX: so, the security argument is meh as their isolation often isn't great, but for me they shine in situations where you need to lock down the exact context something runs in - and that's great for things like reproducible builds where you can guarantee that outside things or previous builds aren't leaking in, or for running unit tests, or for demonstrating a minimum test case for a supposed

bug

SponiX: if you have software that was written like shit in the first place, and it just assumes it can throw things around all over and control the whole OS (without any real excuse for needing this), containers are a really effective way of deploying it while limiting the blast radius. a lot of "real" software is, annoyingly, this.

my problem is when people look at this last effect, and go "oh, since Docker exists, I may as well write the software to completely depend on it!" and throw out the idea of ever picking the right abstraction

zfs question: is a jailed dataset supposed to return permission denied to jail root attempting `zfs snap`?

welp, my openbsd pf rules work "as is" in freebsd pf now

magic

thanks for testing deimosBSD

at least something worked correctly today

ha.. everything works correctly today ;-p

LXGHTNXNG: i think you have to give it permission for zfs

hello guys, what do you think.. will it work to play windows games like WoW, minecraft etc via wine in freebsd? I played WoW for around 15 years ago on linux wine and thats worked fine..

otherwise I need to upgrade this old computer so I can install newer windows 11 so my kid can play some games atleast :P

LXGHTNXNG: please let me know whether is it possible to access snapdir from the jail

LXGHTNXNG: snaphoting can be done by host's root

snapshoting by jail's root never worked for me, but the problem with accessing snaphot dir from the jails is worse

nwe: wine should work about as good as on linux

nimaje: thanks! at the moment I have some problem with my poor usb-wifi dongle going really slow :P

pkg install chromium going in 32kb/s :P

as in the old days :P

How many of you just run freebsd ? No Linux or Windows in the mix?

why do you ask? Some here I would think, but not really able to guess a number

I recently got into freebsd ,  I just wonder what other setup are like

I have  Windows 10 ,  Debian , Gentoo , freebsd

I have run freebsd and openbsd on the pi ,but not on a normal desktop

I use Windows (just for gaming), Linux (if I contribute to something linux only) and daily driving FreeBSD

Nice setup lockna

So all UEFI based systems?

Yes, everything runs on my PC. Only got a macbook which runs Asahi Linux when I'm off for work.

Why you having two linux distros?

Well, my point is to try to make a system  the way I want.

 Gentoo was extreme all command line , small as I could get and still do what I normally do ,  coding , web and watch movies

and what do you use debian fore?

I had been using Ubuntu for most of the 18 years I have been using Linux so , I thought why not try the base

just got it so I could  pick the gui after

Ah, okay

over the years I had tried going down the rabbit  hole distro wise.  and I thought ,  never tried Debian

true, often gets overlooked

What I have done is Ubuntu as my base ,  ventured out ,  void , Arch , Gentoo when I felt like really trying .  One time  Windows , Linux , freebsd

recently last 5 years ,  dual  boot , bios and uefi ,  is that what you call it

hello! I'm building a kernel module from my home directory. it contains a bunch of code not written by myself which has some compile time warnings. I'd like to ignore those warnings ("for now"). what I've tried so far: `make WERROR="-Wno-cast-qual"` - I can see the flag in the compiler command line, but there's also a `-Wcast-qual`, which seems to override it. I've also tried to dabble with /etc/src.conf (WITHOUT_WARNS, WITHOUT_WERROR), but I haven't had any

success (luck) so far. I assume that's a quite easy task if you know the build system a bit better. can somebody help?

hm, something I've tried before, but I might have made a mistake: It seems setting WERROR="" and WARNS="-Wno-cast-qual" in the Makefile helps. let me double check

let me try my crystal ball, maybe that lets me see what build system that kernel module you have from somewhere uses and how it works -- nope, my crystel ball is still broken

ck45: I'm not sure what you mean, compiler warnings should not abort compilation

Remilia: there's a flag that turns warnings into errors: clang.llvm.org/docs/UsersManual.html#cmdoption-Werror - it makes sense to be stricter e.g. for the kernel code. I think the flag is added here: github.com/lattera/freebsd/blob/mas…er/share/mk/bsd.sys.mk#L35C1-L35C11 but I have/had some trouble disabling it

oh

I thiink WITHOUT_WERROR=1 worked fine for me before yeah

but that was in the past

did you pass it to make or in src.conf?

well, seems I have found an equilibrium and it now works. I will check a bit later if it's reproducible

Tell the makers of freebsd thanks from me

tarel2: you can also do freebsd.org/donations

sure, you can, you can give a few bucks and it will make you happier tarel2

i just saw this as #freewilly

#freebsd!

not as in beer, not as in speech, but as a verb, et tu

Why chose freebsd over Linux?  Both unix like but freebsd is smaller. Do you just stick to the few thing you do and not venture out? Or more like  freebsd , some Linux when need and Windows when you want to play games?

tarel2: neither is UNIX

they are Unix-like and partially POSIX-compliant

well, freebsd has one of the largest package repos, so why would the smaller base be a disadvantage?

sorry for non-topic: hi there, does anybody know how can I make the make env "I_DONT_CARE_IF_MY_BUILDS_TARGET_THE_WRONG_RELEASE" work in the poudriere?

So what is a real unix?

a real UNIX system is anything Open Group has certified as UNIX

AIX would be an example

a UNIX has to conform to POSIX and SUS

*real -> official

 Looking at say Windows , more app ,  Linux not as many , Mac less , keep going down ,  where does freebsd land. That is my only point

some version of apples mac os was certified UNIX

nimaje: all versions since 10.5 excluding 10.6

That is odd to me finding out Mac is like based on freebsd or something like that unix-like os

Mac OS uses a mach-like kernel with heavily modified parts of FreeBSD userland

well, it was originally Mach but they introduced a whole lot of changes so it is no longer fully microkernel (then again this is off topic)

The one time , I ran mac on their pc , it was ok.

freebsd a modded version run the ps 4 ?

I would love to look under the hood , not I  have run os and knew what I am doing

media.ccc.de/v/39c3-escaping-contai…-security-analysis-of-freebsd-jails welp that aint good

on the contrary, it's way better when responsible security researchers find and thisclose the information, like they did here

*disclose

yes, crest has done a very good job with this. as well as the people who responded to it.

hey crest you are popular. again. yeeeeey.

?

what have i done this time?

the important part there is "We’ve responsibly disclosed our findings to the FreeBSD security team and are collaborating with them on fixes."

i just asked if they're willing to document their dev setup

which they promised a writeup on

i'm a bit pissed by how much worse my communication with the security team went

it felt like screaming into a black hole that didn't even acknowledge my report

despite including an already weaponized exploit as PoC

*sigh*

polarian: iirc, most of the risk was in the old ipfilter firewall code and interfaces

deimosBSD: classic freebsd not removing legacy code then?

shame

ipfilter is oldest one, and when Darren was writing the code, there were different times

i'm sure someone, somewhere uses ipfilter still, which is why the code still exists

but i could be wrong about the whole topic

maybe it's the secret bypass_kernel_security_for_perf() syscall in jails. ;)

is ipfilter even loaded by default

Remilia: no, neither it's exposed to the jails

I really wish there was a transcript of this talk with slides, not making me actually watch the video.

same

i hear "ai" solves this.

;)

the video has 'auto' captions which are terrible

'a security analysis of Freebies EJLs'

it was a nice talk, a lot of work was needed to complete this PoC breakout, and it should be highly appreciated that those guys have taken whole effort

deimosBSD: mentions ipsec, carp, wifi (lol), NFS, pf, ipfilter and ipfw at least

plus interface ioctls

don't watch the video 39c3 videos on youtube *sigh*

crest: what do you mean?

I can't parse your sentence, sorry :(

there's a superfluous word «video» before «39c3», Remilia

oh

«don't watch the 39c3 videos on youtube»

well, I am watching it on media.ccc.de

very good

What's wrong with watching it on YouTube?

and that is where the 'auto' captions are from

freebsie ejls

freebies ejls*

hilarious

i'm downloaded it and am watching with mpv

(imagine that is correct english)

s/i'm/i/

I feel like automated captions should be last resort when it's anything outside typical time-wasting stand-up type meeting thing

and lack of proper CCs is a show of disrespect to people with hearing issues

"Translators are expensive." -- upper management

this isn't even about translation

just closed captions

also yeah… expensive… €0.045 per source word ahahaha

TommyC: Who needs translations, when you can just set the captioning to the wrong language? :D I sometimes attend such meetings, and have to hold my temper from cracking up at times

DaliborFox: I sometimes like to read Dutch because the language itself can be funnny. :3

DaliborFox: you don't even need wrong language, you need non-native speaker accents

and Teams and Meet both descend into chaos

(also, uncommon/non-English names)

Remilia: sorry i'm operating on 2 hours of sleep

crest: it's time to hit the sack, your shift here is over !

i assumed the bad auto subs where added by youtube because people tend to watch it there instead of on media.ccc.de or the live/timeshift streaming service

mzar: too bad my train from hamburg to berlin took a "little" detour because on track is closed by construction

ha... it happens, I am sorry to hear that, and I hope you'll be able to have at least nap there

and on the other some damned idiot decided that today is a great day for suicide by train

it's end of the year, a week after solstice, people suffer from lack of sunlight and it happens

so the train had to detour via hannover

that's not so bad, you still could have severe winter storm or terrorist attack, let's hope it will get solved and you'll be able to get back home before end of the year

if you have to use a vehicle use your own and don't fuck up a train driver's life on your way out

deimosBSD: the perfect tense in the active voice is formed with «to have». so it'd be «i've downloaded it».

interesting English 101 ongoing here

LXGHTNXNG: grazie

we don't have a two-auxiliary system like italian

but both are indo-european languages, so learning is easy

overstated

the lexicon is almost completely different when you move away from sciencey words

but this has already gone too far for here, let's go to #freebsd-social if we want to continue

hha... yep, but this channel could also become #social, we are building wider community

mzar: you're welcome to easily learn Basque or Finnish/Estonian

or Russian (at a level that does not make people point and laugh)

at least Russian only has 6-7 grammatical cases unlike Finnish

Remilia Finnish/Estonian/Hungarian are from different family, Basque - too far for me to go there

mzar: I'm not sure what you mean, they are Indo-European

they aren't.

Finnish and the gang are Finno-Ugric, which is only related by a couple of loanwords to IE

oh wait, right, Uralic

I am running on a 40 minute nap

though to me they are all weird because my native language is Ainu :D

Basque is a paleo-european language of the Vasconic family (of which it's the only surviving descendant as well as one of like four or five descendants of which we have any records at all), one of the last remnants of the languages once spoken by archaic Europeans before the proto-Ukrainians arrived with their bubonic plague and their indo-european languages. Etruscan, which we do not have

complete records of and which is extinct, is either a language isolate or of a "Tyrsenian" (if I spelled that right) family, not related to the Vasconic languages

wtf are 'proto-Ukrainians'

Remilia, 0.045 per source word? Poor human ranlators, having to complete with the artificial idiot...

* compete

ant-x: sometimes you can get 0.055 but 0.045 is very common for freelance work in my original language pair (RU→JA) and also in EN→RU

getting anything RU→JA consistently is a pipe dream outside government work anyway

should not have majored in Russian :D

I am Russian. Which language is JA? Not Japanese?

^ So it /is/ Japanese, and not jp.

Remilia, I misread 0.045 for 0.0045. 20 words to a Euro actally sounds good to me.

ant-x: yeah you typically can earn around 400-500 a month if you are lucky

Remilia: I am referring to the Indo-Europeans who had domesticated horses but not invented agriculture and lived in what's now southern Ukraine and southwestern Russia, before moving north, west and east

it's a misleading term

LXGHTNXNG: history.stackexchange.com/a/17399 see here and forget that bs

has maps included and full explanation

Remilia, I remember that in the 1930ies writers of weird fiction (Lovecraft and friends) were paid 0.01$ per word for original fiction rather than translation.

respectfully, "indo-europeans out from yamnaya is bullshit" is not a conversation for #freebsd.

ant-x: you are always paid per source of course

But nowadays you are allowed to cheat with GoogleTranslatin &c?

why would you ever do that

/I/ would not, but peole routinly do it to save effort.

LXGHTNXNG: there are Strange People pushing 'proto-Ukrainians' pseudoscientific stuff that was thoroughly debunked before

^ They would run the entire text through Google Translate, make a few amendments, and call it a job done.

and indeed, pseudoscience should be off topic anywhere

You talking about the great ancient civilisation that dug out the black sea :-?

ant-x: I'd share my thoughts on MTL but this is not the right channel and you aren't in #freebsd-social

Right.

Perhaps, I'll see you there sometime.

Cripes.

Is anyone here using the X11's starndard windows manage, twm, on their FreeBSD machine?

* window manager

1. why would i 2. maybe i should (re?) try it sometime

LXGHTNXNG, small & beautiful & ususual: <cpcnw.co.uk/twm/twmrc.htm> .

I simply remain a windowmaker user

Better than widomaker :-)

^ as I frequently mistype the word.

I think it was the nicest WM I tried in 1998 and it stuck

(that is, nicest after IID)

but you can't have IID on FreeBSD so

was IID's window manager called 4Dwm I forgot

I asked about twm because I have problems with using it with complicated software such as Firefox.

What is IID?

IRIX Interactive Desktop

^ It is a beauty, confirmed.

I dislike vector interfaces, and most of the time vector fonts as well.