On Wed, Mar 02, 2005 at 12:35:23PM -0800, Jim Carter wrote: > On Wed, 2 Mar 2005, Maarten wrote: > > > Out of curiosity, is a 'default' SKAS-enabled guest (and without the > > host-fs > > kernel option) safe enough as a sandbox to let untrusted users in, or are > > additional measures in order to really secure it (or more paranoia ;-) ? > > Ie. how difficult is it to gain access to the host OS from the UML guest? > > Here's my take on the issue. Do other list members have additional or > contravening insights? > > If a very sharp hacker "gets root" on the UML guest, he can overwrite the > kernel any way he pleases, executing arbitrary code as the UML special > user. If he finds himself in a chroot jail, he can import statically > linked tools (using ports that have to be open for the guest's mission) and > perpetrate the same 'sploit against the host. The jail makes this harder > but not impossible. > So if there's an exploit in the wild against your kernel version, UML won't > save you. [...]
You can harden the chroot (mount it ro,noexec,nodev, bindmount uml-binary as the only executable into it, bindmount /dev/net/tun as the only device, mount tmpfs noexec,nodev). Then the method you mentioned (injecting static code into the uml kernel) is the only way to run code inside the chroot. That's hard, and a small mis- take will result in a smashed uml kernel, but it can be done (there are articles on phrack magazine which claim that). Using additional kernelpatches like openwall or grsecurity may prevent that, but i don't know if they work on ARCH=um (i know that LIDS works with a tiny patch). But even if the attacker succeeds in running a kernel exploit against the host kernel: Most kernel exploits i have seen result in id=0, but still inside a chroot. So he still has to escape it, which is not so easy if you cannot create devices. Another problem are dos attacks mounted from a rooted uml. Mr. evil could try to consume as much resources as possible to slow down the host. For example, flooding /dev/net/tun would probably decelerate networking for all other umls. Renicing may prevent consuming too much cpu-time. Are there any QoS capabilities on the uml roadmap? /nils. -- there is no sig. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ User-mode-linux-user mailing list User-mode-linux-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/user-mode-linux-user
