Re: [ANNOUNCE][RFC] sVirt: Integrating SELinux and Linux-based virtualization

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 12 Aug 2008, Russell Coker wrote:

> having different labels for processes and files so that if someone cracks the 
> UML kernel then they end up with just a regular user access on the Linux 
> host.  Which of course they could then try to crack with any of the usual 
> local-root exploits.
> 
> For separation based on Xen if someone cracks the hypervisor then you lose 
> everything.
> 
> For KVM (which seems to be the future of Linux virtualisation) I don't know 
> enough to comment.

KVM uses a modified version of Qemu where guests run as Linux processes.

There are some useful documents here:
http://kvm.qumranet.com/kvmwiki/Documents

(The OLS paper especially).


> So by "Linux-based" you mean in contrast to Xen which has the Xen kernel (not 
> Linux) running on the hardware?

Yes.

> > I don't understand what needs to be backed here.  Currently, MAC is not
> > used to separate different Linux-based VMs, and by integrating MAC
> > support, people will be able to further utilize MAC.
> 
> One thing that should be noted is the labelled network benefits.  If you had 
> several groups of virtual servers running at different levels and wanted to 
> prevent information leaks then having SE Linux contexts and labelled 
> networking could make things a little easier.
> 
> I have had some real challenges in managing firewall rules for Xen servers.  
> My general practice is to try and make sure that there is no real need for 
> firewalls between hosts on the same hardware (not that I want it this way - 
> it's what technical and management issues force me to).
> 
> So for example if I have an ISP Xen server running virtual machines for a 
> number of organisations I make sure that they are either all within a similar 
> trust boundary (IE affiliated groups) or all mutually untrusting (IE other IP 
> addresses in the same net-block are treated the same as random hosts on the 
> net).

Thanks for the insights -- we expect to address the virtual networking 
aspect in some way.

> The issue is whether the hypervisor you care about can be broken out of in 
> that way.  It seems that if someone can break out of Xen then you just lose.  
> For KVM I don't know the situation, do you have a good reference for how it 
> works?
> 
> http://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine
> 
> The above web page says that KVM is all based in the kernel, in which case why 
> would it be any more resilient than Xen?

KVM uses a kernel module to utilize the virt hardware (which Qemu 
interfaces with via /dev/kvm), but the guest runs in a userspace process.

I'm not comparing which is more resilient.


- James
-- 
James Morris
<jmorris@xxxxxxxxx>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux