On Thursday 03 March 2005 02:17, nils toedtmann wrote: > On Wed, Mar 02, 2005 at 12:35:23PM -0800, Jim Carter wrote: > > On Wed, 2 Mar 2005, Maarten wrote: > > > Out of curiosity, is a 'default' SKAS-enabled guest (and without the > > > host-fs kernel option) safe enough as a sandbox to let untrusted users > > > in, or are additional measures in order to really secure it (or more > > > paranoia ;-) ? Ie. how difficult is it to gain access to the host OS > > > from the UML guest? > > > > Here's my take on the issue. Do other list members have additional or > > contravening insights? > > > > If a very sharp hacker "gets root" on the UML guest, he can overwrite the > > kernel any way he pleases, executing arbitrary code as the UML special > > user. If he finds himself in a chroot jail, he can import statically > > linked tools (using ports that have to be open for the guest's mission) > > and perpetrate the same 'sploit against the host. The jail makes this > > harder but not impossible. > > So if there's an exploit in the wild against your kernel version, UML > > won't save you. > > [...] > > You can harden the chroot (mount it ro,noexec,nodev, bindmount > uml-binary as the only executable into it, bindmount /dev/net/tun > as the only device, mount tmpfs noexec,nodev). Hmm, nice list... only one problem I guess. 1) you forgot to bindmount /proc/mm Except for that, the more I read this list, the more I like it.
It's impossible to get the chroot noexec if you don't bindmount uml-binary, and the same for nodev and tun. Only thing to note about that is that /dev/net/tun is useful only if you install uml_utilities, including uml_net, inside the chroot (but you won't, right)? > Then the method you > mentioned (injecting static code into the uml kernel) is the only > way to run code inside the chroot. That's hard, and a small mis- > take will result in a smashed uml kernel, but it can be done > (there are articles on phrack magazine which claim that). Using > additional kernelpatches like openwall or grsecurity may prevent > that, but i don't know if they work on ARCH=um (i know that LIDS > works with a tiny patch). Sooner or later, we'll get them (at least the more important ones) ported. SELinux is in the tree and is supported fully (there's an howto on this on the community site IIRC). -- Paolo Giarrusso, aka Blaisorblade Linux registered user n. 292729 http://www.user-mode-linux.org/~blaisorblade ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ User-mode-linux-user mailing list User-mode-linux-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/user-mode-linux-user
