From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755328Ab1A1TLG (ORCPT ); Fri, 28 Jan 2011 14:11:06 -0500 Received: from mx1.redhat.com ([209.132.183.28]:10827 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755224Ab1A1TLD (ORCPT ); Fri, 28 Jan 2011 14:11:03 -0500 From: Steve Grubb Organization: Red Hat To: "Serge E. Hallyn" Subject: Re: [PATCH] System Wide Capability Bounding Set Date: Fri, 28 Jan 2011 14:10:29 -0500 User-Agent: KMail/1.13.5 (Linux/2.6.35.10-74.fc14.x86_64; KDE/4.5.5; x86_64; ; ) Cc: Eric Paris , "Andrew G. Morgan" , "Serge E. Hallyn" , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org References: <1294266337.3237.45.camel@localhost.localdomain> <201101270942.07689.sgrubb@redhat.com> <20110128184901.GA5134@localhost> In-Reply-To: <20110128184901.GA5134@localhost> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201101281410.29794.sgrubb@redhat.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Friday, January 28, 2011 01:49:01 pm Serge E. Hallyn wrote: > > Using a wrapper program is a NOGO because the admin renting the machine > > would be able to overwrite the wrapper and then they have arbitrary > > code running with full privs and > > Not sure I've got this. Wrapper program in the VM he can over-write, > but then he can overwrite the kernel too. No, because the kernel is only read in at boot. After that, /boot can disapear and it won't matter. It can be replaced with something and that won't matter because that's not the real boot partition. > But what we are worried about is the host, so you must mean that. But if the > wrapper program is of type noone_may_write_this_t, then wouldn't finding a way to > replace that be as hard as overwriting the host kernel? No, because we aren't taking away the ability to mount or unmount. Not to mention that root can replace his selinux policy so that next boot it doesn't define noone_may_write_this_t. He might even put selinux in his VM in permissive. > Which, of course, still remains as a viable attack vector for the guest admin, > whether you have this bounding set or not. No, with the bounding set, any external call the kernel makes has the bounding set applied. This means we don't have to further restrict root in unnatural ways. > In other words, we have to accept that the TCB is always not just the > kernel, but some user-space too. And yes, the wrapper program here > would be part of the TCB. If you give someone root access in the VM, they probably want to set things up their way. So, we really would like it if all the security mechanism were inside where they can't be easily tampered with. -Steve