From: Matthew Bloch <matthew@by...> - 2002-10-02 12:14:53
I'm trying to make life harder for people who want to "break out" of a UML
instance to run other programs with their UML's user priviledges, in a
virtual hosting environment. I'd appreciate criticism of my scheme, or
suggestions on how to improve it, or implement alternatives. I'm working
from the assumption that even with the "jail" option enabled for a UML
instance, user processes may still find a way to break out. If there is a
performance hit with the jail option, as is hinted at in the documentation,
can anyone be more specific as to what this is down to? Because if it's
significant I'd like to run our UML kernels without it, and maybe the scheme
below would be more useful.
So, I've added a new system call to my host kernel, stop_exec, which flags a
process as being "banned" from calling the execve system call. Then before
my UML instance calls linux_main(), it calls stop_exec so that anyone who
wanted to try to run a shell, reverse telnet etc. using host binaries is
As I understand it the only time a UML will want to call exec() to the host
kernel is on reboot, and reboots can be taken care of externally.
Does this improve security at all? Are there any other ways of tightening up
with some simple controls on the host kernel? e.g. could we also "ban"
creation of new files from the host kernel as well?
Or is there a more effective way of ensuring users cannot break out of their
Matthew Bloch Bytemark Computer Consulting Limited
tel. +44 (0) 8707 455026
Get latest updates about Open Source Projects, Conferences and News.