From: Herbert Poetzl <herbert@13thfloor.at>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Chris Wright <chrisw@sous-sol.org>,
David Lang <dlang@digitalinsight.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Sam Vilain <sam@vilain.net>,
Nick Piggin <nickpiggin@yahoo.com.au>,
Bill Davidsen <davidsen@tmr.com>,
Linux Kernel ML <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] Virtualization steps
Date: Thu, 30 Mar 2006 17:30:12 +0200 [thread overview]
Message-ID: <20060330153012.GA16720@MAIL.13thfloor.at> (raw)
In-Reply-To: <20060330143224.GC6933@sergelap.austin.ibm.com>
On Thu, Mar 30, 2006 at 08:32:24AM -0600, Serge E. Hallyn wrote:
> Quoting Chris Wright (chrisw@sous-sol.org):
> > * David Lang (dlang@digitalinsight.com) wrote:
> > > what if the people administering the container are different from the
> > > people administering the host?
> >
> > Yes, I alluded to that.
> >
> > > in that case the people working in the container want to be able to
> > > implement and change their own policy, and the people working on the host
> > > don't want to have to implement changes to their main policy config (wtih
> > > all the auditing that would be involved with it) every time a container
> > > wants to change it's internal policy.
> >
> > *nod*
> >
> > > I can definantly see where a container aware policy on the master would be
> > > useful, but I can also see where the ability to nest seperate policies
> > > would be useful.
> >
> > This is all fine. The question is whether this is a policy management
> > issue or a kernel infrastructure issue. So far, it's not clear that this
> > really necessitates kernel infrastructure changes to support container
> > aware policies to be loaded by physical host admin/owner or the virtual
> > host admin. The place where it breaks down is if each virtual host
> > wants not only to control its own policy, but also its security model.
>
> What do you define as 'policy', and how is it different from the
> security model?
>
> > Then we are left with stacking modules or heavier isolation (as in Xen).
>
> Hmm, talking about 'container' in this sense is confusing, because we're
> not yet clear on what a container is.
>
> So I'm trying to get a handle on what we really want to do.
>
> Talking about namespaces is tricky. For instance if I do
> clone(CLONE_NEWNS), the new process is in a new fs namespace, but the
> fs objects are still the same, so if it loads an LSM, then perhaps at
> most the new process should only control mount activities in its own
> namespace.
>
> Frankly I thought, and am still not unconvinced, that containers owned
> by someone other than the system owner would/should never want to load
> their own LSMs, so that this wasn't a problem. Isolation, as Chris has
> mentioned, would be taken care of by the very nature of namespaces.
>
> There are of course two alternatives... First, we might want to
> allow the machine admin to insert per-container/per-namespace LSMs.
> To support this case, we would need a way for the admin to tag a
> container some way identifying it as being subject to a particular set
> of security_ops.
>
> Second, we might want container admins to insert LSMs. In addition
> to a straightforward way of tagging subjects/objects with their
> container, we'd need to implement at least permissions for "may insert
> global LSM", "may insert container LSM", and "may not insert any LSM."
> This might be sufficient if we trust userspace to always create full
> containers. Otherwise we might want to support meta-policy along the
> lines of "may authorize ptrace and mount hooks only", or even "not
> subject to the global inode_permission hook, and may create its own."
sorry folks, I don't think that we _ever_ want container
root to be able to load any kernel modues at any time
without having CAP_SYS_ADMIN or so, in which case the
modules can be global as well ... otherwise we end up
as a bad Xen imitation with a lot of security issues,
where it should be a security enhancement ...
best,
Herbert
> (yuck)
>
> But so much of this depends on how the namespaces/containers end up
> being implemented...
>
> -serge
next prev parent reply other threads:[~2006-03-30 15:30 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-24 17:19 [RFC] Virtualization steps Kirill Korotaev
2006-03-24 17:33 ` Nick Piggin
2006-03-24 19:25 ` Dave Hansen
2006-03-24 19:53 ` Eric W. Biederman
2006-03-28 4:28 ` Bill Davidsen
2006-03-28 5:31 ` Sam Vilain
2006-03-28 6:45 ` [Devel] " Kir Kolyshkin
2006-03-28 21:59 ` Sam Vilain
2006-03-28 22:24 ` Kir Kolyshkin
2006-03-28 23:28 ` Sam Vilain
2006-03-29 9:13 ` Kirill Korotaev
2006-03-29 11:08 ` Sam Vilain
2006-03-29 13:45 ` Herbert Poetzl
2006-03-29 14:47 ` Kirill Korotaev
2006-03-29 17:29 ` Herbert Poetzl
2006-03-29 21:37 ` Sam Vilain
2006-04-12 8:28 ` Kirill Korotaev
2006-04-13 1:05 ` Herbert Poetzl
2006-04-13 6:52 ` Kirill Korotaev
2006-04-13 13:42 ` Herbert Poetzl
2006-04-13 21:33 ` Cedric Le Goater
2006-04-13 22:45 ` Herbert Poetzl
2006-04-14 7:41 ` Kirill Korotaev
2006-04-14 9:56 ` Cedric Le Goater
2006-04-15 19:29 ` Herbert Poetzl
2006-04-13 22:51 ` Kir Kolyshkin
2006-04-14 10:08 ` Cedric Le Goater
2006-04-15 19:31 ` Herbert Poetzl
2006-03-28 8:52 ` Herbert Poetzl
2006-03-28 9:00 ` Nick Piggin
2006-03-28 14:26 ` Herbert Poetzl
2006-03-28 14:44 ` Nick Piggin
2006-03-29 6:05 ` Eric W. Biederman
2006-03-29 6:19 ` Sam Vilain
2006-03-29 18:20 ` Chris Wright
2006-03-29 22:36 ` Sam Vilain
2006-03-29 22:52 ` Chris Wright
2006-03-29 23:01 ` Sam Vilain
2006-03-29 23:13 ` Chris Wright
2006-03-29 23:18 ` Sam Vilain
2006-03-29 23:28 ` Chris Wright
2006-03-30 1:02 ` Eric W. Biederman
2006-03-30 1:36 ` Chris Wright
2006-03-30 1:41 ` David Lang
2006-03-30 2:04 ` Chris Wright
2006-03-30 14:32 ` Serge E. Hallyn
2006-03-30 15:30 ` Herbert Poetzl [this message]
2006-03-30 16:43 ` Serge E. Hallyn
2006-03-30 18:00 ` Eric W. Biederman
2006-03-31 13:40 ` Serge E. Hallyn
2006-03-30 16:07 ` Stephen Smalley
2006-03-30 16:15 ` Serge E. Hallyn
2006-03-30 18:55 ` Chris Wright
2006-03-30 18:44 ` Eric W. Biederman
2006-03-30 19:07 ` Chris Wright
2006-03-31 5:36 ` Eric W. Biederman
2006-03-31 5:51 ` Chris Wright
2006-03-31 6:52 ` Eric W. Biederman
2006-03-30 18:53 ` Chris Wright
2006-03-30 2:48 ` Eric W. Biederman
2006-03-30 19:23 ` Chris Wright
2006-03-31 6:00 ` Eric W. Biederman
2006-03-31 14:52 ` Stephen Smalley
2006-03-31 16:39 ` Eric W. Biederman
2006-03-30 13:29 ` Serge E. Hallyn
2006-03-30 13:37 ` Eric W. Biederman
2006-03-30 14:55 ` Serge E. Hallyn
2006-03-30 2:24 ` Sam Vilain
2006-03-30 3:01 ` Eric W. Biederman
2006-03-30 3:26 ` Nick Piggin
2006-03-30 10:30 ` Eric W. Biederman
2006-04-11 10:32 ` Kirill Korotaev
2006-04-11 11:14 ` Nick Piggin
2006-04-11 14:44 ` Kirill Korotaev
2006-03-28 9:00 ` Kirill Korotaev
2006-03-28 14:41 ` Bill Davidsen
2006-03-28 15:03 ` Eric W. Biederman
2006-03-28 17:48 ` Jeff Dike
2006-03-28 23:07 ` Sam Vilain
2006-03-29 20:56 ` Bill Davidsen
2006-03-28 20:29 ` [Devel] " Jun OKAJIMA
2006-03-28 20:50 ` Kir Kolyshkin
2006-03-28 21:38 ` Jun OKAJIMA
2006-03-28 21:51 ` Eric W. Biederman
2006-03-28 23:18 ` Sam Vilain
2006-04-03 16:47 ` Bill Davidsen
2006-04-11 10:38 ` Kirill Korotaev
2006-04-11 16:20 ` Herbert Poetzl
2006-04-11 18:12 ` Kir Kolyshkin
2006-04-12 5:12 ` Andi Kleen
2006-04-12 6:55 ` Kirill Korotaev
2006-04-12 6:53 ` Andi Kleen
2006-04-12 7:51 ` Kirill Korotaev
2006-04-12 17:03 ` Andi Kleen
2006-04-12 17:20 ` Eric W. Biederman
2006-04-13 16:54 ` Alexey Kuznetsov
2006-04-30 13:22 ` Bill Davidsen
2006-04-30 21:34 ` Sam Vilain
2006-05-01 12:27 ` Kirill Korotaev
2006-05-03 20:32 ` Bill Davidsen
2006-03-28 9:02 ` Kirill Korotaev
2006-03-28 9:15 ` Nick Piggin
2006-03-28 15:35 ` Herbert Poetzl
2006-03-28 15:53 ` Nick Piggin
2006-03-28 16:31 ` Eric W. Biederman
2006-03-29 21:37 ` Bill Davidsen
2006-03-28 16:15 ` Eric W. Biederman
2006-03-28 23:04 ` Sam Vilain
2006-03-29 1:39 ` Kirill Korotaev
2006-03-29 13:47 ` Herbert Poetzl
2006-03-28 15:48 ` [Devel] " Matt Ayres
2006-03-28 16:42 ` Eric W. Biederman
2006-03-28 17:04 ` Matt Ayres
2006-03-29 0:55 ` Kirill Korotaev
2006-03-24 18:36 ` Eric W. Biederman
2006-03-24 21:19 ` Herbert Poetzl
2006-03-27 18:45 ` Eric W. Biederman
2006-03-28 8:51 ` Kirill Korotaev
2006-03-28 12:53 ` Serge E. Hallyn
2006-03-28 22:51 ` Sam Vilain
2006-03-29 20:30 ` Dave Hansen
2006-03-29 20:47 ` Eric W. Biederman
2006-03-29 22:44 ` Sam Vilain
2006-03-30 13:51 ` Kirill Korotaev
2006-03-28 21:58 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060330153012.GA16720@MAIL.13thfloor.at \
--to=herbert@13thfloor.at \
--cc=chrisw@sous-sol.org \
--cc=davidsen@tmr.com \
--cc=dlang@digitalinsight.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nickpiggin@yahoo.com.au \
--cc=sam@vilain.net \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox