On Thu, Oct 29, 2020 at 03:23:46PM +0100, Michal Privoznik wrote: > On 10/29/20 2:36 PM, Andrea Bolognani wrote: > > On Thu, 2020-10-29 at 12:18 +0100, Michal Privoznik wrote: > > > > > I'm not very familiar with security drivers but I guess the question > > is: are xattrs a critical part of the security story, without which > > no isolation is possible at all, or is it conceivable to have > > security drivers that provide some amount of protection on macOS even > > though they can't go as far as they can on Linux and FreeBSD? > > The way seclabel remmebering works is whenever libvirt wants to > chown()/setfilecon() the current owner/SELinux label is recorded into XATTRs > [1] and then on restore we look into these XATTRs and restore to the owner > stored there. With this it is easy to see that if XATTRs were editable by a > regular user it is very simple to trick libvirt into changing the owner of a > file. As easy as: > > 1) start a vm with /etc/shadow as a disk But if you don't run libvirt under root, would there be an issue? > 2) modify XATTRs so that the original owner recorded is "michal:michal" > 3) kill the vm > 4) profit > > Now, in Linux and BSD XATTRs must have a prefix. In Linux there are four: > > * user - can be modified by anybody, > * system - used by ACLs > * security - used by SELinux > * trusted - accessibly by CAP_SYS_ADMIN processes only > > and in BSD there are only two: > > * user - can be modified by anybody, > * system - accessible by CAP_SYS_ADMIN processes only > > > That is why on linux we use "trusted" and on BSD we use "system". > Therefore, on any new system we must use something equivalent. What is the > equivalent on macOS? Does it even have namespaces (as in a subset that is > modifiable only by a CAP_SYS_ADMIN process)? > There's no notion of CAP_SYS_ADMIN and zones/jails/namespaces on macOS. The closest equivalent of Linux namespaces with regards to security are app sandboxes [1]. It's possible to write sophisticated Lisp-like rules that restrict an app as much as possible, then run it in a sandbox with the rules provided. Apple's applications, Firefox [3] and Chromium [4] heavily use the feature. 1. https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html 2. https://hg.mozilla.org/mozilla-central/file/tip/security/sandbox/mac/SandboxPolicyContent.h 3. https://source.chromium.org/chromium/chromium/src/+/master:sandbox/policy/mac/common.sb Thanks, Roman
