On 09/03/2013 11:48 AM, Peter Robinson wrote: > On Tue, Sep 3, 2013 at 3:10 PM, Jay Greguske <jgregusk@xxxxxxxxxx > <mailto:jgregusk@xxxxxxxxxx>> wrote: > > On 09/02/2013 04:29 AM, Miroslav Suchý wrote: > > On 08/30/2013 10:01 PM, Jay Greguske wrote: > >> I'd like to see some elaboration on why VMs instead of chroots > would be > >> required. I can draw my own conclusions (security) but I'd like > to see > >> them listed out first before continuing the discussion. > > > > Koji builder has somewhere stored certificate. This certificate > > authorize him to Koji hub. > > Whoever has this certificate can act as Koji builder. > > Koji builder builds using mock, which means in chroot. There are known > > some exploits, which allows you to run out of chroots. > > > > Now imagine evil package, which will run out chroot, read that > > certificate and deliver it to attacker. > > He now can build evil builder and start building modified packages. > > > > While there are known exploits to affect host machine of VM, it is > > definitely harder than running out of chroot. > > > > If we had SELinux policy enabled on the builders and used MLS on the > chroots that would mitigate chroot-to-chroot attacks. I'm not sure if > policy could prevent a chroot'ed process from getting access to the > builder's certificate. If it could, I think getting SELinux working on > the builders would be an easier path than re-writing koji to use VMs. > > Maybe someone with more expertise could comment on the latter issue. > > > koji already uses VMs for x86. > > Peter > Not for RPM builds. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
