| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Feb 2012 10:28:28 -0800 From: Chris Wright <chrisw@...hat.com> To: Anthony Liguori <anthony@...emonkey.ws> Cc: Avi Kivity <avi@...hat.com>, Scott Wood <scottwood@...escale.com>, linux-kernel <linux-kernel@...r.kernel.org>, Eric Northup <digitaleric@...gle.com>, KVM list <kvm@...r.kernel.org>, qemu-devel <qemu-devel@...gnu.org>, Chris Wright <chrisw@...hat.com> Subject: Re: [Qemu-devel] [RFC] Next gen kvm api * Anthony Liguori (anthony@...emonkey.ws) wrote: > On 02/07/2012 07:18 AM, Avi Kivity wrote: > >On 02/07/2012 02:51 PM, Anthony Liguori wrote: > >>On 02/07/2012 06:40 AM, Avi Kivity wrote: > >>>On 02/07/2012 02:28 PM, Anthony Liguori wrote: > >>>> > >>>>>It's a potential source of exploits > >>>>>(from bugs in KVM or in hardware). I can see people wanting to be > >>>>>selective with access because of that. > >>>> > >>>>As is true of the rest of the kernel. > >>>> > >>>>If you want finer grain access control, that's exactly why we have things like > >>>>LSM and SELinux. You can add the appropriate LSM hooks into the KVM > >>>>infrastructure and setup default SELinux policies appropriately. > >>> > >>>LSMs protect objects, not syscalls. There isn't an object to protect here > >>>(except the fake /dev/kvm object). > >> > >>A VM can be an object. > > > >Not really, it's not accessible in a namespace. How would you label it? A VM, vcpu, etc are all objects. The labelling can be implicit based on the security context of the process creating the object. You could create simplistic rules such as a process may have the ability KVM__VM_CREATE (this is roughly analogous to the PROC__EXECMEM policy control that allows some processes to create executable writable memory mappings, or SHM__CREATE for a process that can create a shared memory segment). Adding some label mgmt to the object (add ->security and some callbacks to do ->alloc/init/free), and then checks on the object itself would allow for finer grained protection. If there was any VM lookup (although the original example explicitly ties a process to a vm and a thread to a vcpu) the finer grained check would certainly be useful to verify that the process can access the VM. > Labels can originate from userspace, IIUC, so I think it's possible for QEMU > (or whatever the userspace is) to set the label for the VM while it's > creating it. I think this is how most of the labeling for X and things of > that nature works. For X, the policy enforcement is done in the X server. There is assistance from the kernel for doing policy server queries (can foo do bar?), but it's up to the X server to actually care enough to ask and then fail a request that doesn't comply. I'm not sure that's the model here. thanks, -chris -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists