Open dsheets opened 3 years ago
This is a massive change, I'd prefer to do this after we finally find time to finish the overall refactoring and introducing the proxy module.
First order, I think it's mostly changing where the listening socket fds come from but it does have significant knock-on effects in configuration files, documentation, auto-update, etc. To support ipset/pfctl, it would also require some careful protocol design. On the other hand, it would give AGH a significant advantage over dnsmasq, pihole, etc and provide good sales material for security nerds -- privacy and security go hand-in-hand. :-)
What is 'the proxy module'? Where can I learn more about that?
Content blocking proxy that supports more fine-grained filtering than DNS (cosmetic rules, for instance).
There's a simple implementation already: https://github.com/AdguardTeam/urlfilter/tree/master/cmd
Problem Description
AdGuard Home requires lots of privileges on macOS and can be used with reduced by still unnecessary privileges on Linux. As well as processing untrusted input in the form of upstream DNS resolutions and blocklist updates, AGH also offers auto-update functionality. In many deployments, AGH will be running on an already privileged network host like a wifi access point or broadband router. The combination of these features demands improving the security of the AGH process. Finally, a number of system or process security measures like network namespaces and seccomp on Linux have reduced usability with AGH's current design.
Proposed Solution
I would like the option to run AGH in a privilege-separated mode with two executables, a privileged launcher/capability daemon and the full AGH process. The launcher would fork, drop privs, and exec the full process and listen on a named UNIX domain socket for capability requests from the AGH process responding with open fds if necessary. The AGH process could then be extensively fortified.
Alternatives Considered
Additional Information
Both privsep and monolithic operations will need to be maintained. macOS has UNIX domain sockets for passing fds,
sandbox_init
for fine-grained privilege dropping, andpfctl
and friends for managing its firewall (including the 'tables' equivalent of Linux's ipsets).