Re: AF_VSOCK and the LSMs

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Gerd Hoffmann <kraxel@redhat.com>
To: Paul Moore <pmoore@redhat.com>
Cc: Andy King <acking@vmware.com>,
	netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
	selinux@tycho.nsa.gov, Eric Paris <eparis@redhat.com>
Subject: Re: AF_VSOCK and the LSMs
Date: Mon, 25 Feb 2013 08:29:46 +0100	[thread overview]
Message-ID: <512B12EA.1000003@redhat.com> (raw)
In-Reply-To: <2331260.82H25I6ITJ@sifl>

  Hi,

>> I think perhaps this is the wrong layer at which to embed this.  Think
>> of that structure as an ethernet header, with VMCI being ethernet; it's
>> what the device (and the hypervisor and peer) understand.  So this
>> really cannot be changed.
> 
> Hmmm, so can VMware/VMCI-enabled guests send vmci_datagram packets directly 
> into the kernel?  It isn't wrapped by things like AF_VSOCK? If that is the
> case, then yes, we'll probably need to add a thin wrapper struct to carry the 
> security label; similar to the control packets but not quite, as we have data 
> to deal with unlike the control packets.  However, if vmci_datagram is an 
> internal only structure, why not add the extra field?

vmci_datagram is part of the guest/host ABI I think.

Data flow looks like this:

(1) guest application opens a AF_VSOCK socket
(2) guest sends data as usual (say send syscall).
(3) vsock core hards over the packet to the transport layer
    (only vmci atm, but we wanna add virtio here).
(4) transport layer passes data to the hypervisor (vmci uses a
    virtual pci device for that, virtio will do the same).
(5) hypervisor forwards the data
(5a) cid=0 -- hypervisor handles the data itself.
(5b) cid=2 -- hypervisor hands over the data to a process on the host
     (not sure how this works, Andy?)
(5c) cid=other -- hypervisor hands over data to the guest addressed
     by the cid (==context id), where it travels back in a simliar way
     (vmci virtual device -> vmci vsock transport ->
     vsock core -> userspace app).

>> It's also not entirely clear to me how this will work in a heterogeneous
>> environments.  What if there's a Linux guest running on a Windows host,
>> or vice-versa?
> 
> I maybe missing something here, but VMCI never leaves the physical host system 
> correct?  It doesn't get tunneled over some external network does it?

Correct.

> Assuming it stays on the physical host system then we don't really care about 
> a Windows host in this context do we?  From a guests point of view it doesn't 
> really matter, the kernel handles all of the labeling and access control; the 
> guests create their AF_VSOCKS as they normally would.

Depends on where you wanna apply access control ...

If you want allow the *guest* kernel lsm allow to control which
applications are allowed to communicate using vsock and which are not,
then yes, it doesn't really matter which hypervisor is underneath as it
will not be involved in the first place.  And I think the hooks should
be in the vsock core module not vmci, otherwise you'll have to exercise
the same again for each vsock transport layer we add.  The transport
layer interface might need changes to support labeling & lsm hooks.

If you are looking at the host side (to restrict which guests are
allowed to talk to each other and which are not) lsm can't do much about
it as the data may not be passed to the host kernel in the first place ...

cheers,
  Gerd

next prev parent reply	other threads:[~2013-02-25  7:29 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-22 22:33 AF_VSOCK and the LSMs Paul Moore
2013-02-22 22:54 ` Andy King
2013-02-23  0:27   ` Paul Moore
2013-02-25  7:29     ` Gerd Hoffmann [this message]
2013-02-25 15:06       ` Paul Moore
2013-02-22 23:00 ` Casey Schaufler
2013-02-23  0:45   ` Paul Moore
2013-02-23 23:43     ` Casey Schaufler
2013-02-25 16:55       ` Paul Moore
2013-02-25 18:02         ` Casey Schaufler
2013-02-25 21:05           ` Paul Moore
2013-02-25 23:06             ` Casey Schaufler
2013-02-26 21:21               ` LSM stacking and the network access controls (was: AF_VSOCK and the LSMs) Paul Moore
2013-02-26 23:12                 ` LSM stacking and the network access controls Casey Schaufler
2013-02-27 16:43                   ` Paul Moore
2013-02-27 16:51                     ` Casey Schaufler
2013-02-27 17:31                       ` Paul Moore
2013-02-27 17:40                         ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=512B12EA.1000003@redhat.com \
    --to=kraxel@redhat.com \
    --cc=acking@vmware.com \
    --cc=eparis@redhat.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pmoore@redhat.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).