From: Steve Grubb <sgrubb@redhat.com>
To: "Serge E. Hallyn" <serge.hallyn@canonical.com>
Cc: Eric Paris <eparis@redhat.com>,
"Andrew G. Morgan" <morgan@kernel.org>,
"Serge E. Hallyn" <serge@canonical.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] System Wide Capability Bounding Set
Date: Thu, 27 Jan 2011 09:42:07 -0500 [thread overview]
Message-ID: <201101270942.07689.sgrubb@redhat.com> (raw)
In-Reply-To: <20110127140255.GB2935@localhost>
Hi Serge,
On Thursday, January 27, 2011 09:02:55 am Serge E. Hallyn wrote:
> What is the attack vector you're actually envisioning? Does some
> trojan come in and overwrite a program which which it hopes the
> kernel will execute? Or is there just an existing vuln in such
> a program? Are there other ways we can address these? Can we find
> a way to classify the kernel-spawned userspace programs? Perhaps
> based on the selinux context assigned to the program, we can assign
> some level of trust that noone could have modified the source?
I think that what is causing the confusion is that we are considering a different
threat model than the normal, historic view. The way its normally viewed, if you have
root, you can do anything you want to a machine. The threat model revolves around
becoming root on a machine and defense rests on splitting root so a complete system
compromise might not occur.
Today, people want to have multi-tenant hosting using virtual machines whereby they
give away root control of the guest VM. If you were renting system space, you would
expect root access. That would make a nice juicy hacking target because you don't know
who else is sharing the physical machine with you and they might have something in
their VM worth stealing.
So, the threat model becomes how do we prevent one guest from attacking another? We
have sVirt which prevents resource based attacks from occurring. Its pretty effective
for that. However, what if the bad guy wants to start attacking the hypervisor
directly in effort to start attacking the host OS?
They need to be able to run arbitrary code in ring 0 of the VM. That means the hosting
provider might want to eliminate some capabilities from the whole kernel so that they
have some assurance that a root user cannot get arbitrary code running in ring 0
without knowing a kernel level exploit. Also assume that the root user has no control
over the kernel or modules or initrd which are kept on a read only partition enforced
by the hypervisor. And the hosting provider will make kernel updates as kernel
security releases are made.
This kind of turns around some of the threat modeling that people have always made.
There are not a whole lot of changes that need to be made. I think there was one other
patch that we needed to prevent arbitrary code injection. Eric's initial patch was
overly generous in my opinion. It allowed further modification of the global bounding
set after boot had finished and could probably be used for mischief as pointed out.
Perhaps the setting should be immutable after any change to it - which is really how
its intended to be used. Or maybe even only a subset of the bounding set is modifiable.
Using a wrapper program is a NOGO because the admin renting the machine would be able
to overwrite the wrapper and then they have arbitrary code running with full privs and
we trust it will do the right thing. We need all modification to the running kernel out
of reach from root in that VM.
-Steve
next prev parent reply other threads:[~2011-01-27 14:42 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-05 22:25 [PATCH] System Wide Capability Bounding Set Eric Paris
2011-01-06 11:30 ` Tetsuo Handa
2011-01-06 16:44 ` Theodore Tso
2011-01-11 22:02 ` Serge E. Hallyn
2011-01-11 22:12 ` Serge E. Hallyn
2011-01-14 19:50 ` Eric Paris
2011-01-17 3:16 ` Andrew G. Morgan
2011-01-21 21:25 ` Eric Paris
2011-01-23 3:39 ` Andrew G. Morgan
2011-01-24 21:40 ` Serge Hallyn
2011-01-26 23:34 ` Eric Paris
2011-01-27 14:02 ` Serge E. Hallyn
2011-01-27 14:42 ` Steve Grubb [this message]
2011-01-27 16:43 ` Andrew G. Morgan
[not found] ` <AANLkTi=k5QeE_-iNuW3-M5K3BnBtRxk-QYO5624HKrpE@mail.gmail.com>
2011-01-27 16:50 ` Steve Grubb
2011-01-28 18:19 ` Eric Paris
2011-01-28 18:49 ` Serge E. Hallyn
2011-01-28 19:10 ` Steve Grubb
2011-01-28 19:38 ` Serge E. Hallyn
2011-01-28 22:24 ` Eric Paris
2011-02-01 18:17 ` Eric Paris
2011-02-01 21:26 ` Serge E. Hallyn
2011-02-02 4:02 ` Andrew G. Morgan
2011-02-08 2:55 ` Eric Paris
2011-02-14 20:45 ` Eric Paris
2011-02-14 21:24 ` Serge E. Hallyn
2011-02-18 0:29 ` Serge E. Hallyn
2011-01-27 14:26 ` Andrew G. Morgan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201101270942.07689.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=serge.hallyn@canonical.com \
--cc=serge@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox