On Tuesday 08 March 2005 12:52, nils toedtmann wrote: > On Sat, Mar 05, 2005 at 06:30:55PM +0100, Blaisorblade wrote: > > On Thursday 03 March 2005 02:17, nils toedtmann wrote: > > > On Wed, Mar 02, 2005 at 12:35:23PM -0800, Jim Carter wrote:
First: could you put the resulting procedure into the UML Wiki? > Unfortunatly, i am mistaken: > > "Checking PROT_EXEC mmap in /tmp...failed: Operation not permitted > /tmp must be not mounted noexec" > But instead, you can 'umount -l' (lazy umount, somebody sug- > gested this during the cannot-umount-tmpfs-after-shutdown > discussion) /tmp right after booting such that it is unusable. > Then there is no writable place in the chroot left besides > image/cow-files. The attacker could overwrite them, but uml > won't like that ... Yes, an attacker can, but this does not matter: an attacker on the host can already simply killall the UML or manipulate it at will (technically a bit difficult to ptrace it maybe but you can do what you prefer). The problem is preventing a cracker who subverted a UML instance from doing anything (especially getting root) on the host. > Of course! And if you want to have persistant filesystem images > or CoW files, same goes for them. Otherwise, put the CoW files > on the tmpfs. > Older uml needed /proc/cpuinfo (at least due to my experiments > with chroot), but that need seems to have been silently removed. > As /proc/mm is 222: what harm could an attacker do by > writing into /proc/mm? Each time you open /proc/mm you load the host kernel somehow less than the creation of a idle process, apart the handling of actual code execution. You can add a ulimit on the number of open files, but be careful since it applies to UML too (and UML needs a fd handle to /proc/mm for each process it creates). > > Except for that, the more I read this list, the more I like it. > ;-) > > It's impossible to get the chroot noexec if you don't bindmount > > uml-binary, and the same for nodev and tun. > yepp. The only problem is that you get at least 5 mounts in > your mounttable per uml, that can get confusing on a host > with bunches of umls >:-o (you could use 'mount -n') > > Only thing to note about that is that /dev/net/tun is useful only if you > > install uml_utilities, including uml_net, inside the chroot (but you > > won't, right)? > No. I do tuntap without any utilities, and that needs /dev/net/tun > inside the chroot, too. Otherwise i get a "Failed to open > /dev/net/tun, err = 2" (just tested to be sure ;-) Ok, you are right. /dev/net/tun is probably used by uml_net (I've not made sure), but is also used by UML, I guess when creating an interface with a tuntap transport. > To sum it up, this temporary chroot works-for-me[tm]: > mkdir chroot > mount -t tmpfs -o size=1k,mode=750,gid=uml,nodev,nosuid,noexec none > chroot mkdir chroot/tmp > mount -t tmpfs -o size=129M,mode=770,gid=uml,nodev,nosuid none > chroot/tmp/ mkdir -p chroot/proc chroot/dev/net > touch chroot/proc/mm chroot/dev/net/tun chroot/linux chroot/rootfs > mount -o bind /proc/mm chroot/proc/mm > mount -o bind /dev/net/tun chroot/dev/net/tun # > has to be rw for (g)id=uml mount -o bind ubd/FC3-rootfs.ext3 chroot/rootfs > # has to be rw for (g)id=uml mount -o bind > boot/linux-2.6.9-bb4-terminal-cleanup-nils9 chroot/linux # has to be x for > (g)id=uml mount -o remount,ro chroot/ > screen -S uml /usr/bin/compartment --user uml --group uml --chroot chroot > /linux umid=uml mem=128M uml_dir=/tmp con=null con0=null,fd:2 > con1=fd:0,fd:1 eth0=tuntap,tap00,FE:FD:00:DE:AD:06 ubd0=/rootfs > devfs=nomount sleep 10 > umount -l chroot/tmp > Maybe you could 'umount -l' chroot/dev/net/tun & chroot/rootfs, too? See above... > After shutdown, destroy the chroot: > umount chroot/linux chroot/rootfs chroot/dev/net/tun chroot > > Sooner or later, we'll get them (at least the more important ones) > > ported. SELinux is in the tree and is supported fully (there's an howto > > on this on the community site IIRC). > What helps is "um" being an official architecture in 2.6 now. SELinux support IIRC worked at the 2.6.0 time (with some trivial fixes). -- Paolo Giarrusso, aka Blaisorblade Linux registered user n. 292729 http://www.user-mode-linux.org/~blaisorblade ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ User-mode-linux-user mailing list User-mode-linux-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/user-mode-linux-user
