Re: [PATCH] System Wide Capability Bounding Set

From: Steve Grubb
Date: Fri Jan 28 2011 - 14:11:21 EST

On Friday, January 28, 2011 01:49:01 pm Serge E. Hallyn wrote:
> > Using a wrapper program is a NOGO because the admin renting the machine
> > would be able to overwrite the wrapper and then they have arbitrary
> > code running with full privs and
> Not sure I've got this. Wrapper program in the VM he can over-write,
> but then he can overwrite the kernel too.

No, because the kernel is only read in at boot. After that, /boot can disapear and it
won't matter. It can be replaced with something and that won't matter because that's
not the real boot partition.

> But what we are worried about is the host, so you must mean that. But if the
> wrapper program is of type noone_may_write_this_t, then wouldn't finding a way to
> replace that be as hard as overwriting the host kernel?

No, because we aren't taking away the ability to mount or unmount. Not to mention that
root can replace his selinux policy so that next boot it doesn't define
noone_may_write_this_t. He might even put selinux in his VM in permissive.

> Which, of course, still remains as a viable attack vector for the guest admin,
> whether you have this bounding set or not.

No, with the bounding set, any external call the kernel makes has the bounding set
applied. This means we don't have to further restrict root in unnatural ways.

> In other words, we have to accept that the TCB is always not just the
> kernel, but some user-space too. And yes, the wrapper program here
> would be part of the TCB.

If you give someone root access in the VM, they probably want to set things up their
way. So, we really would like it if all the security mechanism were inside where they
can't be easily tampered with.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at