Re: [RFC] Virtualization steps
From: Eric W. Biederman
Date: Wed Mar 29 2006 - 21:47:00 EST
Chris Wright <chrisw@xxxxxxxxxxxx> writes:
>> At least one implementation Linux Jails by Serge E. Hallyn was done completely
>> with security modules, and the code was pretty minimal.
>
> Yes, although the networking area was something that looked better done
> via namespaces (at least that's my recollection of my conversations with
> Serge on that one a few years back).
For general networking yes the namespace flavor seems to be the sane
way to do it.
As I currently understand the problem everything goes along nicely
nothing really special needed until you start asking the question
how do I implement a root user with uid 0 who does not own the
machine. When you start asking that question is when the creepy
crawlies come out.
On most virtual filesystems the default owner of files is uid 0.
Additional privilege checks are not applied. Writing to those
files could potentially have global effect.
It is completely unclear how permissions checks should work
between two processes in different uid namespaces. Especially
there are cases where you do want interactions.
If every guest/container/jail is configured so the uids with the same
value mean the same user there are no security issues even when they
interact because the isolation is not perfect. So my gut feel it to
postpone a bunch of these problems and say making uids non-global
is a security module issue.
Eric
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/