From: Blaisorblade <bla...@ya...> - 2005-11-25 23:31:24
|
Antoine, I'm CC:ing you about your UML SELinux policy - see below for context. On Friday 25 November 2005 13:12, Chris wrote: > Chris wrote: > >Blaisorblade wrote: > >>Yep, this crash wasn't described in your original mail, so please add all > >>details about the compilation environment, the host kernel, the hardware > >> and the scenario triggering the host crash (if any). > > > >here we go: > >Portage 2.0.51.22-r3 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r2, > >2.6.12-gentoo-r10-skas3-v8.2 i686) > >================================================================= > >System uname: 2.6.12-gentoo-r10-skas3-v8.2 i686 Pentium III (Coppermine) > >Gentoo Base System version 1.6.13 > >ccache version 2.3 [enabled] > >CBUILD="i686-pc-linux-gnu" > >CFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer" > >CHOST="i686-pc-linux-gnu" > >CXXFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer" > > > >the system is a dual p3 with 1ghz (smp enabled), 2gb ram (high memory is > >set to 4gb), nptl. > > > >the scenario was: > >2 umls running chrooted using your precompiled um32-2.6.14-release. they > >were bridged with the host using brctl, which so far went without > >problems. to really stress them i started 10 scp which endlessly copied > >bzipped kernelsources to and from each other (host<->uml, uml<->uml, > >uml<->some other machine on the net) which pushed the load on the host > >around 20. > >~10h later the host crashed. > > > >i ran the same kind of test before without uml for 3 days nonstop to > >test the host system before getting the umls into game, which worked > >without a crash and a load around 30, so i guess it has something to do > >with them, but to be sure i started the test again a few minutes ago, > >only difference is that i'm trying your 2.6.13 binaries and on another > >machine i began to recompile the system without a hardened tc and will > >start the same test too and then post my results. > >memtest also ran for ~24h without a failure, so i'm sure this isn't the > >source of the problem. > > > >greets, chris > >btw, how about grsec + uml? some plans for this? (just curious, because > >the chroot-restrictions from grsec would be really a great thing for the > >paranoids beyond us *grin) Let me think - you refer to the SKAS3 patch merged with grsec? I looked into this time ago on request, after somebody posted a merge, but I deadlocked on a problem for conceptually proper handling of some per-process settings. However, I remember that probably the concern wouldn't be triggered in practice by UML usage, and that possibly it was more theoretical than practical. So it may go on my TODO list, but it's very long. Instead, another possibility is the use of SELinux - I say that because Antoine Martin some time ago has written a SELinux policy and possibly he's going to share that, on request, after some tidyup (that's possibly needed). In this case, I hope Antoine would write something on the Wiki. > just to let you know, a few minutes ago the host crashed again... (no > net, no screen, no numlock, it's fully dead) :( > if there's anything i can do to help resolve this please let me know and > i'll do what i can, because i think it would be a great thing to let uml > run on hardened systems. Ok, let's focus on what's interesting - since a host crash is due to the host kernel, let's focus on that and do differential analysis. You have a *) 2.6.12 (the bug could have been fixed) *) with SKAS (it may be at fault) *) compiled with hardened toolchain (you may have discovered a miscompilation). I suggest trying to change these things in this order... > as being a 'secure virtual os' for untrusted > (root-)users it can't be bad to secure the host as much as possible. > thx for your time, chris -- Inform me of my mistakes, so I can keep imitating Homer Simpson's "Doh!". Paolo Giarrusso, aka Blaisorblade (Skype ID "PaoloGiarrusso", ICQ 215621894) http://www.user-mode-linux.org/~blaisorblade ___________________________________ Yahoo! Messenger: chiamate gratuite in tutto il mondo http://it.messenger.yahoo.com |