On 09/02/2013 04:29 AM, Miroslav Suchý wrote: > On 08/30/2013 10:01 PM, Jay Greguske wrote: >> I'd like to see some elaboration on why VMs instead of chroots would be >> required. I can draw my own conclusions (security) but I'd like to see >> them listed out first before continuing the discussion. > > Koji builder has somewhere stored certificate. This certificate > authorize him to Koji hub. > Whoever has this certificate can act as Koji builder. > Koji builder builds using mock, which means in chroot. There are known > some exploits, which allows you to run out of chroots. > > Now imagine evil package, which will run out chroot, read that > certificate and deliver it to attacker. > He now can build evil builder and start building modified packages. > > While there are known exploits to affect host machine of VM, it is > definitely harder than running out of chroot. > If we had SELinux policy enabled on the builders and used MLS on the chroots that would mitigate chroot-to-chroot attacks. I'm not sure if policy could prevent a chroot'ed process from getting access to the builder's certificate. If it could, I think getting SELinux working on the builders would be an easier path than re-writing koji to use VMs. Maybe someone with more expertise could comment on the latter issue. - Jay -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
