Re: LSM and Containers - Crispin Cowan

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Crispin Cowan <crispin@crispincowan.com>
To: Peter Dolding <oiaohm@gmail.com>
Cc: linux-security-module@vger.kernel.org,
	Containers <containers@lists.osdl.org>
Subject: Re: LSM and Containers
Date: Wed, 24 Oct 2007 16:21:44 -0700	[thread overview]
Message-ID: <471FD388.1050707@crispincowan.com> (raw)
In-Reply-To: <e7d8f83e0710241607k6d7ed6f8m2e7418478ef8cbb0@mail.gmail.com>

Peter Dolding wrote:
> The other thing you have not though of and is critical.  If LSM is the
> same LSM across all containers.  What happens if that is breached and
> tripped to disable.  You only want to loss one container to a breach
> not the whole box and dice in one hit.  Its also the reason why my
> design does not have a direct link between controllers.  No cascade
> threw system to take box and dice.
>   
Sorry, but I totally disagree.

If you obtain enough privilege to disable the LSM in one container, you
also obtain enough privilege to disable *other* LSMs that might be
operating in different containers. This is a limitation of the
Containers feature, not of LSM.

The purpose of LSM would be to manage privilege such that you cannot do
damage, and in particular, any LSM that fails to prevent an attacker
from disabling the LSM itself has failed, either in design, or in having
an inadequate policy in place.

> The more I look at it more holes I find why the current LSM model just
> cannot keep on existing with Containers.   Its not the best option.
> Hacking it to work with containers is only creating risks of more
> problems.  The LSM model as also breed that problem of not sharing
> security tech advantages to everyone.  Ie if they don't use our LSM
> they don't need/deserve our defense.
>   
Again, I completely disagree.

Well, I agree that the hacking you proposed to permit different LSMs in
different containers is a bad idea, so lets not do that :)

I see no need to support different LSMs in different containers. The
complexity of such a feature would be very high. The utility strikes me
as being very low; people who want that degree of separation of
containers should be using Xen or KVM, not Containers.

> Different LSM per container from a security point of view appears
> critical.  Sorry to say redesign from the ground up time everyone.
> Its a round peg into a square hole yes you can bash it in but it will
> never fit right.
>   
I have no idea how you can support such assertions. Absolutely not. It
is quite clear that the way to address security for containers is to
enhance individual LSM modules to be container-aware so that you can
have separate policies in the separate containers. That is in keeping
with the spirit of sharing the kernel, and providing separate instances
to the users.

> ps sorry for going on so long I just see this as a major problem.   If
> you have a solution to it tell me.  Since a cut line has be put
> somewhere with containers.
>   
Where as I see it as a very minor problem, and very easy to fix without
any re-design of LSM, or of Containers. It only requires container-aware
LSM modules.

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
	       Itanium. Vista. GPLv3. Complexity at work

next prev parent reply	other threads:[~2007-10-24 23:21 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-22  2:24 LSM conversion to static interface Thomas Fricaccia
2007-10-22  3:59 ` Greg KH
2007-10-22 17:47   ` Avi Kivity
     [not found]     ` <e7d8f83e0710221559i6b14469fjebceee12c6dec98e@mail.gmail.com>
     [not found]       ` <471D8877.5030901@crispincowan.com>
2007-10-23 13:32         ` LSM and Containers (was: LSM conversion to static interface) Serge E. Hallyn
2007-10-23 17:57           ` LSM and Containers Crispin Cowan
2007-10-24  0:07             ` Peter Dolding
2007-10-24 23:07               ` Peter Dolding
2007-10-24 23:21                 ` Crispin Cowan [this message]
2007-10-25  0:20                   ` Peter Dolding
2007-10-25  1:44                     ` Serge E. Hallyn
2007-10-25  4:31                       ` Peter Dolding
2007-10-23 16:05     ` LSM conversion to static interface Adrian Bunk
2007-10-23 16:52   ` Geert Uytterhoeven
2007-10-22 10:07 ` Alan Cox
2007-10-22 16:10   ` Crispin Cowan
2007-10-22 16:50     ` Alan Cox
2007-10-22 16:56       ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=471FD388.1050707@crispincowan.com \
    --to=crispin@crispincowan.com \
    --cc=containers@lists.osdl.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=oiaohm@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.