search

AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server
https://adguard.com/adguard-home.html
GNU General Public License v3.0
23.79k stars 1.75k forks source link

Privilege separation #2192

Open dsheets opened 3 years ago

dsheets commented 3 years ago

Problem Description

AdGuard Home requires lots of privileges on macOS and can be used with reduced by still unnecessary privileges on Linux. As well as processing untrusted input in the form of upstream DNS resolutions and blocklist updates, AGH also offers auto-update functionality. In many deployments, AGH will be running on an already privileged network host like a wifi access point or broadband router. The combination of these features demands improving the security of the AGH process. Finally, a number of system or process security measures like network namespaces and seccomp on Linux have reduced usability with AGH's current design.

Proposed Solution

I would like the option to run AGH in a privilege-separated mode with two executables, a privileged launcher/capability daemon and the full AGH process. The launcher would fork, drop privs, and exec the full process and listen on a named UNIX domain socket for capability requests from the AGH process responding with open fds if necessary. The AGH process could then be extensively fortified.

Alternatives Considered

  1. The single AGH binary could execute and drop privileges early in execution. This makes achieving privsep of netlink/ipset or other firewall control impossible.
  2. The launcher could fork with necessary fds already open in the child. This makes it difficult to operate the binaries separately.
  3. The launcher and main process could execute from the same binary with different invocations. This makes use of binary tagging impossible (e.g. could not grant different caps on Linux with varying xattrs).

Additional Information

Both privsep and monolithic operations will need to be maintained. macOS has UNIX domain sockets for passing fds, sandbox_init for fine-grained privilege dropping, and pfctl and friends for managing its firewall (including the 'tables' equivalent of Linux's ipsets).

ameshkov commented 3 years ago

This is a massive change, I'd prefer to do this after we finally find time to finish the overall refactoring and introducing the proxy module.

dsheets commented 3 years ago

First order, I think it's mostly changing where the listening socket fds come from but it does have significant knock-on effects in configuration files, documentation, auto-update, etc. To support ipset/pfctl, it would also require some careful protocol design. On the other hand, it would give AGH a significant advantage over dnsmasq, pihole, etc and provide good sales material for security nerds -- privacy and security go hand-in-hand. :-)

What is 'the proxy module'? Where can I learn more about that?

ameshkov commented 3 years ago

Content blocking proxy that supports more fine-grained filtering than DNS (cosmetic rules, for instance).

There's a simple implementation already: https://github.com/AdguardTeam/urlfilter/tree/master/cmd