From: Erik de B. - L. <Erik@LowVoice.nl> - 2003-08-29 14:07:48
|
Hi List, To create an extra barrier between the host and guest OS we wanted to chroot a UML system. We created a chrooted environment to run an non-writable but executable linux kernel while the user the UML runs as only has writable filesystems and a read-ony hostfs. This way, even with a compromised or exploitable kernel you couldn't write binary executable files onto the host filesystem. This is essential to get tools for further exploiting bugs on the host. We think this very much solves many security issue we could think off. We've bind mounted just the /dev/net to the inside of chroot so it can use tun/tap networking, but no other things of /dev are reachable. We've also been trying to do the same with /proc/mm but this is a file, so it's only possible to bind the whole /proc. It's a lot safer than not chrooting at all, but would because it's safer than a non chrooted environment anyway, but it would very much remove a lot of risks that still exist. We think that changing the location of /proc/mm to /proc/mm/mm would make deeper security measures possible. Erik |
From: Matthew B. <ma...@by...> - 2003-08-29 14:34:29
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Aug 29, 2003 at 04:07:03PM +0200, Erik de Bruijn - LowVoice wrote: > Hi List, > > To create an extra barrier between the host and guest OS we wanted to chroot > a UML system. We created a chrooted environment to run an non-writable but > executable linux kernel while the user the UML runs as only has writable > filesystems and a read-ony hostfs. This way, even with a compromised or > exploitable kernel you couldn't write binary executable files onto the host > filesystem. This is essential to get tools for further exploiting bugs on > the host. We think this very much solves many security issue we could think > off. > We've bind mounted just the /dev/net to the inside of chroot so it can use > tun/tap networking, but no other things of /dev are reachable. We've also > been trying to do the same with /proc/mm but this is a file, so it's only > possible to bind the whole /proc. Not true, you can type: mount --bind /proc/mm /your/jail/proc/mm for any file or directory to show a duplicate of it in another part of the filesystem. - -- Matthew Bloch Bytemark Hosting tel. +44 (0) 8707 455026 http://www.bytemark-hosting.co.uk/ Dedicated Linux hosts from 15ukp ($26) per month -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/T2ROT2rVDg8aLXQRAkuwAJ90TMWOMC+CxY3KTRfSAt1N1U6cpACdFu3E NJQOzZOwRdHrlzlvc/HcQOA= =SBWC -----END PGP SIGNATURE----- |
From: Goetz B. <bo...@bl...> - 2003-08-29 14:39:27
|
On Fri, Aug 29 '03 at 16:07, Erik de Bruijn - LowVoice wrote: > [ ... chroot the uml binary, for security ... ] > We've bind mounted just the /dev/net to the inside of chroot so it can use > tun/tap networking, but no other things of /dev are reachable. We've also > been trying to do the same with /proc/mm but this is a file, so it's only > possible to bind the whole /proc. No, just do touch $CHROOT_DIR/proc/mm mount -o bind /proc/mm $CHROOT_DIR/proc/mm to bind mount single files -- /"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting \ / (c) 2003 as GNU FDL 1.1 X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ] / \ [ 3. Reply to the list - 4. Read the archive *before* you post ] |