From: Herbert Poetzl <herbert@13thfloor.at>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Chris Wright <chrisw@sous-sol.org>,
David Lang <dlang@digitalinsight.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Sam Vilain <sam@vilain.net>,
Nick Piggin <nickpiggin@yahoo.com.au>,
Bill Davidsen <davidsen@tmr.com>,
Linux Kernel ML <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] Virtualization steps
Date: Thu, 30 Mar 2006 17:30:12 +0200 [thread overview]
Message-ID: <20060330153012.GA16720@MAIL.13thfloor.at> (raw)
In-Reply-To: <20060330143224.GC6933@sergelap.austin.ibm.com>
On Thu, Mar 30, 2006 at 08:32:24AM -0600, Serge E. Hallyn wrote:
> Quoting Chris Wright (chrisw@sous-sol.org):
> > * David Lang (dlang@digitalinsight.com) wrote:
> > > what if the people administering the container are different from the
> > > people administering the host?
> >
> > Yes, I alluded to that.
> >
> > > in that case the people working in the container want to be able to
> > > implement and change their own policy, and the people working on the host
> > > don't want to have to implement changes to their main policy config (wtih
> > > all the auditing that would be involved with it) every time a container
> > > wants to change it's internal policy.
> >
> > *nod*
> >
> > > I can definantly see where a container aware policy on the master would be
> > > useful, but I can also see where the ability to nest seperate policies
> > > would be useful.
> >
> > This is all fine. The question is whether this is a policy management
> > issue or a kernel infrastructure issue. So far, it's not clear that this
> > really necessitates kernel infrastructure changes to support container
> > aware policies to be loaded by physical host admin/owner or the virtual
> > host admin. The place where it breaks down is if each virtual host
> > wants not only to control its own policy, but also its security model.
>
> What do you define as 'policy', and how is it different from the
> security model?
>
> > Then we are left with stacking modules or heavier isolation (as in Xen).
>
> Hmm, talking about 'container' in this sense is confusing, because we're
> not yet clear on what a container is.
>
> So I'm trying to get a handle on what we really want to do.
>
> Talking about namespaces is tricky. For instance if I do
> clone(CLONE_NEWNS), the new process is in a new fs namespace, but the
> fs objects are still the same, so if it loads an LSM, then perhaps at
> most the new process should only control mount activities in its own
> namespace.
>
> Frankly I thought, and am still not unconvinced, that containers owned
> by someone other than the system owner would/should never want to load
> their own LSMs, so that this wasn't a problem. Isolation, as Chris has
> mentioned, would be taken care of by the very nature of namespaces.
>
> There are of course two alternatives... First, we might want to
> allow the machine admin to insert per-container/per-namespace LSMs.
> To support this case, we would need a way for the admin to tag a
> container some way identifying it as being subject to a particular set
> of security_ops.
>
> Second, we might want container admins to insert LSMs. In addition
> to a straightforward way of tagging subjects/objects with their
> container, we'd need to implement at least permissions for "may insert
> global LSM", "may insert container LSM", and "may not insert any LSM."
> This might be sufficient if we trust userspace to always create full
> containers. Otherwise we might want to support meta-policy along the
> lines of "may authorize ptrace and mount hooks only", or even "not
> subject to the global inode_permission hook, and may create its own."
sorry folks, I don't think that we _ever_ want container
root to be able to load any kernel modues at any time
without having CAP_SYS_ADMIN or so, in which case the
modules can be global as well ... otherwise we end up
as a bad Xen imitation with a lot of security issues,
where it should be a security enhancement ...
best,
Herbert
> (yuck)
>
> But so much of this depends on how the namespaces/containers end up
> being implemented...
>
> -serge
next prev parent reply other threads:[~2006-03-30 15:30 UTC|newest]
Thread overview: 127+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-24 17:19 [RFC] Virtualization steps Kirill Korotaev
2006-03-24 17:33 ` Nick Piggin
2006-03-24 19:25 ` Dave Hansen
2006-03-24 19:53 ` Eric W. Biederman
2006-03-28 4:28 ` Bill Davidsen
2006-03-28 5:31 ` Sam Vilain
2006-03-28 6:45 ` [Devel] " Kir Kolyshkin
2006-03-28 21:59 ` Sam Vilain
2006-03-28 22:24 ` Kir Kolyshkin
2006-03-28 23:28 ` Sam Vilain
2006-03-29 9:13 ` Kirill Korotaev
2006-03-29 11:08 ` Sam Vilain
2006-03-29 13:45 ` Herbert Poetzl
2006-03-29 14:47 ` Kirill Korotaev
2006-03-29 17:29 ` Herbert Poetzl
2006-03-29 21:37 ` Sam Vilain
2006-04-12 8:28 ` Kirill Korotaev
2006-04-13 1:05 ` Herbert Poetzl
2006-04-13 6:52 ` Kirill Korotaev
2006-04-13 13:42 ` Herbert Poetzl
2006-04-13 21:33 ` Cedric Le Goater
2006-04-13 22:45 ` Herbert Poetzl
2006-04-14 7:41 ` Kirill Korotaev
2006-04-14 9:56 ` Cedric Le Goater
2006-04-15 19:29 ` Herbert Poetzl
2006-04-13 22:51 ` Kir Kolyshkin
2006-04-14 10:08 ` Cedric Le Goater
2006-04-15 19:31 ` Herbert Poetzl
2006-03-28 8:52 ` Herbert Poetzl
2006-03-28 9:00 ` Nick Piggin
2006-03-28 14:26 ` Herbert Poetzl
2006-03-28 14:44 ` Nick Piggin
2006-03-29 6:05 ` Eric W. Biederman
2006-03-29 6:19 ` Sam Vilain
2006-03-29 18:20 ` Chris Wright
2006-03-29 22:36 ` Sam Vilain
2006-03-29 22:52 ` Chris Wright
2006-03-29 23:01 ` Sam Vilain
2006-03-29 23:13 ` Chris Wright
2006-03-29 23:18 ` Sam Vilain
2006-03-29 23:28 ` Chris Wright
2006-03-30 1:02 ` Eric W. Biederman
2006-03-30 1:36 ` Chris Wright
2006-03-30 1:41 ` David Lang
2006-03-30 2:04 ` Chris Wright
2006-03-30 14:32 ` Serge E. Hallyn
2006-03-30 15:30 ` Herbert Poetzl [this message]
2006-03-30 16:43 ` Serge E. Hallyn
2006-03-30 18:00 ` Eric W. Biederman
2006-03-31 13:40 ` Serge E. Hallyn
2006-03-30 16:07 ` Stephen Smalley
2006-03-30 16:15 ` Serge E. Hallyn
2006-03-30 18:55 ` Chris Wright
2006-03-30 18:44 ` Eric W. Biederman
2006-03-30 19:07 ` Chris Wright
2006-03-31 5:36 ` Eric W. Biederman
2006-03-31 5:51 ` Chris Wright
2006-03-31 6:52 ` Eric W. Biederman
2006-03-30 18:53 ` Chris Wright
2006-03-30 2:48 ` Eric W. Biederman
2006-03-30 19:23 ` Chris Wright
2006-03-31 6:00 ` Eric W. Biederman
2006-03-31 14:52 ` Stephen Smalley
2006-03-31 16:39 ` Eric W. Biederman
2006-03-30 13:29 ` Serge E. Hallyn
2006-03-30 13:37 ` Eric W. Biederman
2006-03-30 14:55 ` Serge E. Hallyn
2006-03-30 2:24 ` Sam Vilain
2006-03-30 3:01 ` Eric W. Biederman
2006-03-30 3:26 ` Nick Piggin
2006-03-30 10:30 ` Eric W. Biederman
2006-04-11 10:32 ` Kirill Korotaev
2006-04-11 11:14 ` Nick Piggin
2006-04-11 14:44 ` Kirill Korotaev
2006-03-28 9:00 ` Kirill Korotaev
2006-03-28 14:41 ` Bill Davidsen
2006-03-28 15:03 ` Eric W. Biederman
2006-03-28 17:48 ` Jeff Dike
2006-03-28 23:07 ` Sam Vilain
2006-03-29 20:56 ` Bill Davidsen
2006-03-28 20:29 ` [Devel] " Jun OKAJIMA
2006-03-28 20:50 ` Kir Kolyshkin
2006-03-28 21:38 ` Jun OKAJIMA
2006-03-28 21:51 ` Eric W. Biederman
2006-03-28 23:18 ` Sam Vilain
2006-04-03 16:47 ` Bill Davidsen
2006-04-11 10:38 ` Kirill Korotaev
2006-04-11 16:20 ` Herbert Poetzl
2006-04-11 18:12 ` Kir Kolyshkin
2006-04-12 5:12 ` Andi Kleen
2006-04-12 6:55 ` Kirill Korotaev
2006-04-12 6:53 ` Andi Kleen
2006-04-12 7:51 ` Kirill Korotaev
2006-04-12 17:03 ` Andi Kleen
2006-04-12 17:20 ` Eric W. Biederman
2006-04-13 16:54 ` Alexey Kuznetsov
2006-04-30 13:22 ` Bill Davidsen
2006-04-30 21:34 ` Sam Vilain
2006-05-01 12:27 ` Kirill Korotaev
2006-05-03 20:32 ` Bill Davidsen
2006-03-28 9:02 ` Kirill Korotaev
2006-03-28 9:15 ` Nick Piggin
2006-03-28 15:35 ` Herbert Poetzl
2006-03-28 15:53 ` Nick Piggin
2006-03-28 16:31 ` Eric W. Biederman
2006-03-29 21:37 ` Bill Davidsen
2006-03-28 16:15 ` Eric W. Biederman
2006-03-28 23:04 ` Sam Vilain
2006-03-29 1:39 ` Kirill Korotaev
2006-03-29 13:47 ` Herbert Poetzl
2006-03-28 15:48 ` [Devel] " Matt Ayres
2006-03-28 15:48 ` Matt Ayres
2006-03-28 16:42 ` Eric W. Biederman
2006-03-28 17:04 ` Matt Ayres
2006-03-28 17:04 ` Matt Ayres
2006-03-29 0:55 ` Kirill Korotaev
2006-03-24 18:36 ` Eric W. Biederman
2006-03-24 21:19 ` Herbert Poetzl
2006-03-27 18:45 ` Eric W. Biederman
2006-03-28 8:51 ` Kirill Korotaev
2006-03-28 12:53 ` Serge E. Hallyn
2006-03-28 22:51 ` Sam Vilain
2006-03-29 20:30 ` Dave Hansen
2006-03-29 20:47 ` Eric W. Biederman
2006-03-29 22:44 ` Sam Vilain
2006-03-30 13:51 ` Kirill Korotaev
2006-03-28 21:58 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060330153012.GA16720@MAIL.13thfloor.at \
--to=herbert@13thfloor.at \
--cc=chrisw@sous-sol.org \
--cc=davidsen@tmr.com \
--cc=dlang@digitalinsight.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nickpiggin@yahoo.com.au \
--cc=sam@vilain.net \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.