Re: [PATCH] System Wide Capability Bounding Set

[Steve Grubb <sgrubb@redhat.com>]

On Friday, January 28, 2011 01:49:01 pm Serge E. Hallyn wrote:
> > Using a wrapper program is a NOGO because the admin renting the machine
> > would be able  to overwrite the wrapper and then they have arbitrary
> > code running with full privs and
> 
> Not sure I've got this.  Wrapper program in the VM he can over-write,
> but then he can overwrite the kernel too.

No, because the kernel is only read in at boot. After that, /boot can disapear and it 
won't matter. It can be replaced with something and that won't matter because that's 
not the real boot partition.

> But what we are worried about is the host, so you must mean that.  But if the
> wrapper program is of type noone_may_write_this_t, then wouldn't finding a way to
> replace that be as hard as overwriting the host kernel? 

No, because we aren't taking away the ability to mount or unmount. Not to mention that 
root can replace his selinux policy so that next boot it doesn't define 
noone_may_write_this_t. He might even put selinux in his VM in permissive.

> Which, of course, still remains as a viable attack vector for the guest admin,
> whether you have this bounding set or not.

No, with the bounding set, any external call the kernel makes has the bounding set 
applied. This means we don't have to further restrict root in unnatural ways.

> In other words, we have to accept that the TCB is always not just the
> kernel, but some user-space too.  And yes, the wrapper program here
> would be part of the TCB.

If you give someone root access in the VM, they probably want to set things up their 
way. So, we really would like it if all the security mechanism were inside where they 
can't be easily tampered with.

-Steve