Re: [User-mode-linux-user] security ??

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I replied privately (by accident) with this:

It is possible right now for a hostile process to break out of the user-mode 
virtual machine and gain access to the hosting machine.

However, this is fairly easy to fix.  It would not be hard to turn the 
virtual machine into a secure jail.

> It's essentially a software sandbox; a safe place to play with
> untrusted apps.  I plan to write an article for LinuxMonth expanding
> on that idea and showing how to do it.

It is good for that, since a hostile program would have to specifically attack 
the kernel.  I don't think many such attacks have been implemented since uml 
is still fairly new...

> one could still not use it to directly gain root in the host OS.

Right.  You're root inside, but outside you're just a normal user.  So 
something that manages to break out goes from being root inside to being 
unpriviledged outside.

> I believe I remember reading that when a disk sector is being
> requested, the rest of uml is held up

The block driver is completely synchronous at this point.  I don't know how 
this affects performance, but it probably doesn't help.

> and the idle thread tends to soak up a lot of CPU time

It busy-waits, just like any normal idle thread.  I'm planning on using the 
kernel's APM support to turn the busy-waiting into sleeping.  This will make 
uml put a lower load on the system.

> The ultimate way to accomplish this would be to have all a shared,
> read-only filesystem with all the files that no-one needs to write to
> and a much smaller writeable root with symlinks for directories and
> writeable /var, /tmp, /etc, etc. directories.  Each uml mounts its own
> writeable root and this shared space.

That's a decent idea.  I was thinking about some kind of an overlay filesystem 
to do the same thing.

> Jeff - if the file on the host OS is read-only for the user running
> UML, can I mount it read-only in UML?  That would seem like a
> reasonably secure way of making sure none of the umls can corrupt or
> modify the shared filespace.

Yes.  What one kernel must not do is mount a device that another kernel has 
mounted read-write.

He's talking about sticking bind in a uml, which could work well.  It's not 
like a million-hit-per-day web server.

				Jeff