Add imds-filterd.

The imds-filterd tool allows administrators of EC2 instances to lock down
which data from the Instance Metadata Service can be accessed by specified
system users and groups, thereby making the EC2 Instance Metadata Service
compatible with traditional UNIX privilege separation.

Reviewed by:	otis, dizzy, lwhsu
Sponsored by:	Tarsnap Backup Inc.

7 files changed, 76 insertions, 2 deletions

diff --git a/GIDs b/GIDs
index 95edef391cad..d0c1e23953a9 100644
--- a/GIDs
+++ b/GIDs
@@ -194,7 +194,7 @@ sems:*:250:
 # free: 251
 # free: 252
 _adsuck:*:253:
-# free: 254
+imds:*:254:
 _i2pd:*:255:
 _tor:*:256:
 _smtpd:*:257:
diff --git a/UIDs b/UIDs
index 8bb4e4669ca7..2cab89d3fda3 100644
--- a/UIDs
+++ b/UIDs
@@ -199,7 +199,7 @@ sems:*:250:250::0:0:SIP Express Media Server:/nonexistent:/usr/sbin/nologin
 # free: 251
 # free: 252
 _adsuck:*:253:253::0:0:Adsuck ad blocking user:/nonexistent:/usr/sbin/nologin
-# free: 254
+imds:*:254:254::0:0:Instance Metadata Service filter:/nonexistent:/usr/sbin/nologin
 _i2pd:*:255:255::0:0:I2P daemon:/var/db/i2pd:/usr/sbin/nologin
 _tor:*:256:256::0:0:Tor anonymizing router:/var/db/tor:/usr/sbin/nologin
 _smtpd:*:257:257::0:0:OpenSMTPD:/var/empty:/usr/sbin/nologin
diff --git a/security/Makefile b/security/Makefile
index 2caa964693f3..ba7dc3883e5d 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -226,6 +226,7 @@
     SUBDIR += idea
     SUBDIR += identify
     SUBDIR += ike
+    SUBDIR += imds-filter
     SUBDIR += integrit
     SUBDIR += ipfcount
     SUBDIR += ipfilter2dshield
diff --git a/security/imds-filterd/Makefile b/security/imds-filterd/Makefile
new file mode 100644
index 000000000000..d43ebdd232ec
--- /dev/null
+++ b/security/imds-filterd/Makefile
@@ -0,0 +1,44 @@
+# $FreeBSD$
+
+PORTNAME=	imds-filterd
+DISTVERSION=	0.1
+CATEGORIES=	security
+
+MAINTAINER=	cperciva@FreeBSD.org
+COMMENT=	Provides per user/group access controls to the EC2 IMDS
+
+LICENSE=	BSD2CLAUSE
+LICENSE_FILE=	${WRKSRC}/COPYRIGHT
+
+USE_GITHUB=	YES
+GH_ACCOUNT=	cperciva
+
+# Install binaries into ${STAGEDIR}${PREFIX}/sbin
+MAKE_ARGS+=	BINDIR=${STAGEDIR}${PREFIX}/sbin
+
+PORTDOCS=	README.md USAGE
+PLIST_FILES=	etc/rc.d/imds-filterd		\
+		etc/rc.d/imds-proxy		\
+		sbin/imds-filterd		\
+		sbin/imds-proxy			\
+		"@sample etc/newsyslog.conf.d/imds.conf.sample"	\
+		"@sample etc/syslog.d/imds.conf.sample"		\
+		"@sample etc/imds.conf.sample"
+
+OPTIONS_DEFINE=	DOCS
+
+USERS=		imds
+GROUPS=		imds
+
+post-install:
+	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${PORTDOCS:S,^,${WRKSRC}/,} ${STAGEDIR}${DOCSDIR}
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/syslog.d
+	${INSTALL_DATA} ${WRKSRC}/freebsd-conf/syslog-imds.conf ${STAGEDIR}${PREFIX}/etc/syslog.d/imds.conf.sample
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d
+	${INSTALL_DATA} ${WRKSRC}/freebsd-conf/newsyslog-imds.conf ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/imds.conf.sample
+	${INSTALL_DATA} ${WRKSRC}/imds.conf ${STAGEDIR}${PREFIX}/etc/imds.conf.sample
+	${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-filterd ${STAGEDIR}${PREFIX}/etc/rc.d/imds-filterd
+	${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-proxy ${STAGEDIR}${PREFIX}/etc/rc.d/imds-proxy
+
+.include <bsd.port.mk>
diff --git a/security/imds-filterd/distinfo b/security/imds-filterd/distinfo
new file mode 100644
index 000000000000..f73b37bf1732
--- /dev/null
+++ b/security/imds-filterd/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1580074291
+SHA256 (cperciva-imds-filterd-0.1_GH0.tar.gz) = e0e8b28046b2a917e110d1313242947aa6901635e81552107ab2f6a2fba83441
+SIZE (cperciva-imds-filterd-0.1_GH0.tar.gz) = 64011
diff --git a/security/imds-filterd/pkg-descr b/security/imds-filterd/pkg-descr
new file mode 100644
index 000000000000..af8b6b6a54ee
--- /dev/null
+++ b/security/imds-filterd/pkg-descr
@@ -0,0 +1,12 @@
+imds-filterd (pronounced "I M D S Filter D") is a pair of utilities which
+work together to intercept and filter requests to the EC2 Instance Metadata
+Service -- or theoretically any other service at 169.254.169.254:80.
+
+It validates requests against a configured ruleset which specifies whether
+given users and groups should be allowed or denied access to certain prefixes
+in the Instance Metadata Service.  For example, "root" could be granted
+access to everything; most unprivileged users granted access to everything
+except IAM role credentials; but the www user denied access to the entire
+Instance Metadata Service in order to guard against SSRF and similar attacks.
+
+WWW: http://github.com/cperciva/imds-filterd
diff --git a/security/imds-filterd/pkg-message b/security/imds-filterd/pkg-message
new file mode 100644
index 000000000000..7b680f611530
--- /dev/null
+++ b/security/imds-filterd/pkg-message
@@ -0,0 +1,14 @@
+[
+{ type: install
+  message: <<EOM
+To enable imds-filterd, add imds_filterd_enable=YES to /etc/rc.conf.
+
+To configure imds-filterd, edit $PREFIX/etc/imds.conf.
+
+imds-filterd ships with configurations for syslogd and newsyslog which log
+accesses to the Instance Metadata Service to /var/log/imds.log and rotate
+this file upon reaching 1 MB; these settings can be modified via
+$PREFIX/etc/{syslog.d, newsyslog.conf.d}/imds.conf.
+EOM
+}
+]