Below are the 10 most recent journal entries recorded in the "James Morris" journal:
[<< Previous 10 entries]
Fedora 11 with sVirt|sVirt
(MAC security for Linux Virtualization), which I've previously discussed here
, and formally presented at LCA
in January, was released today as an integral part of virtualization in Fedora 11
If you'd like to give it a spin, simply download and install Fedora and use the GUI admin tools to create a new virtual machine.
Thanks again to Dan Walsh, Dan Berrange and all the developers who helped with input and the heavy lifting work of completing the userland code. It still amazes me how fast things move in FOSS.
As mentioned in my last+1 post, Dan W will be talking on this topic at the upcoming LinuxCon
Further developments in this area are already underway, and you can expect to hear about them in the coming months—see the talk slides
for possible hints.
Tags: fedora, fedora11, foss, kvm, lca, linux, linuxcon, mac, security, selinux, svirt, virtualization
SELinux Sandbox and Ambient Authority|
Dan Walsh recently introduced SELinux sandbox
. This is a mechanism for launching untrusted applications from the command line, which uses a strict MAC policy to isolate the executed application from the rest of the system. There's been a good discussion of the topic LWN
, and I thought it might be worth highlighting a few points.
Firstly, this sandboxing scheme is not a separate package. It's an addition to the standard SELinux security policy to define the sandboxed domain (
) coupled with a script to set up the environment and launch applications in the sandboxed domain.
The idea for this came out of a few emails following a recent discussion
about extending seccomp for more generalized sandboxing. Essentially, the question was asked "what can we do with SELinux and simple sandboxing?"
, and the result is now available in Fedora development. If you update to the latest
packages, it should simply be there ready to go.
The security policy for the
domain is designed to provide the sandboxed application with only the absolute minimum set of permissions required to run. It can load shared libraries, for example, although a future refinement could provide an option to run only static binaries. It cannot interact in an ad-hoc manner with the rest of the system. A scratch tmpfs filesystem may be optionally mounted for the application if required, and unique MCS labels are used to separate sandboxes from each other. Another future refinement will likely include launching sandboxes in private namespaces.
# sandbox id -Z
The above shows how the
command launched via the new
utility is running in the
domain, with MCS categories c226 and c674. The values of these don't matter, as long as they're unique on the system.
As root (and note that this is not designed to be run as root, but for demonstration purposes it helps to show the confinement of privileges if they exist), you can't do anything special via
# sandbox cat /etc/shadow
/bin/cat: /etc/shadow: Permission denied
# sandbox touch /tmp/moo.txt
/bin/touch: cannot touch `/tmp/moo.txt': Permission denied
In fact, you can't open any files on the global system.Ambient authority
describes the form of authority commonly seen in general purpose operating systems. This form of authority is what allows, for example, a user on a Linux system to open any file for which she has read access, whether she needs to open the file or not
. It is seen as problematic in establishing strong security, due to problems such as The Confused Deputy
, where authority (i.e. the ability to perform an action) is arbitrarily escalated throughout the system.
(For a particularly clear explanation of these concepts, they are covered in the first ten minutes of this talk by David Wagner
When an application is launched via
, with no inessential permissions, as much ambient authority as is possible has been removed by SELinux MAC. Instead, authority is explicitly provided to the sandboxed application via a pipe file descriptor handed to it via the launching process (i.e. the standard Unix scheme of constructing pipelines).
Note carefully the difference between these two commands:
# wc -l /etc/shadow
# cat /etc/shadow | wc -l
In the first example, the
application directly opened the file
for reading. It used ambient authority to do this.
In the second example,
was handed a file descriptor which was already opened by the calling process, and did not require any ambient authority to read the data in the file: the authority was explicitly tied to the file by the caller, and
was entirely unaware of which file it was reading.
in this case does not need any
permissions except to access the file descriptor passed by the caller. (It still has ambient authority, however, it just didn't need to use it here).
Running the above with SELinux sandboxing in effect:
# sandbox wc -l /etc/shadow
/usr/bin/wc: /etc/shadow: Permission denied
# cat /etc/shadow | sandbox wc -l
now has no authority now except as invoked by the calling process and passed via the sandbox. In other words, it does not have ambient authority when invoked via the sandbox.
This is a very simple and powerful concept for security purposes, as it is possible to define strict information flows between applications in a dynamic and controlled manner, without the need for additional global security policy. It's inherently Unix-y, too.
There are many potential applications of this form of sandboxing, particularly where you need to process information between different security realms (e.g. incoming mail which needs to be passed through a chain of scanning and filtering applications), and for dealing with large and complicated applications processing arbitrary untrusted data.
Keep an eye on Dan's blog
for upcoming work on desktop security with SELinux sandboxing.
Tags: ambient authority, fedora, linux, mac, object capabilities, sandbox, security, selinux
Linux Security Events in Portland|
Several Linux security events are planned in association with LinuxCon
this year in Portland, Oregon.
- 2009 SELinux Developer Summit
The CFP for this event has just been published. The developer summit will be held on the 20th of September as an ancillary event of LinuxCon. This is a one-day event, and developers are encouraged to submit proposals around the primary topics of extensibility and usability. We're hoping to have a flexible format this year, perhaps with half a day of talks and then half a day of hack sessions. Note that all attendees need to be registered for LinuxCon, and that earlybird registration ends this Monday, June 1st. Also, please subscribe to the event mailing list if you're planning to attend, so we can estimate numbers. More details are available at the summit web page.
- Security Microconf
A security microconf will be held at the co-located Plumbers Conference. The Call for Topics ends on June 15th, and anyone doing interesting work in Linux security should consider submitting a proposal. Also see the LWN topic discussion and Paul McKenney's recent blog entry on the event.
- LinuxCon Talks
There are several security-related talks at LinuxCon itself:
I'll be giving a LinuxCon talk on adding extended attributes support to NFSv3, presenting a prototype implementation (based on the GPL IRIX code) for discussion. xattrs are a very common feature in Unix and Linux filesystems, but there is no standard for them, nor for conveying them over NFS. NFSv4 supports "named attributes", although this is based on the Solaris extended attribute scheme (subfiles), and somewhat incompatible the simple name/value string-based xattrs supported by Linux, BSD, IRIX etc. It would be nice to have Linux-style xattrs supported in NFSv3, with the current work then potentially forming the basis for a future NFSv4 protocol extension. If you're interested in this stuff, please consider attending and helping with the discussion.
Tags: developers, events, fmac, labeled networking, labeled nfs, linux foundation, linux plumbers conference, linuxcon, lsm, mac, mandatory access control, nfs, portland, security, selinux, svirt, virtualization
sVirt merged into upstream libvirt|
code has now been merged
into the upstream libvirt
repository (git mirror
). Thanks to Dan Walsh for taking on the remaining userspace development, and Daniel Berrange and the rest of the libvirt folk involved for reviewing and improving the code.
While we'll be focusing on the SELinux driver for sVirt, a really useful and cool project for someone interested in security and virtualization would be to develop a SMACK driver.
Tags: foss, kvm, libvirt, linux, mac, mandatory access control, security, selinux, smack, svirt, virtualization
Locking down your browser plugins in F10|
With the recent news of multiple vulnerabilities in Adobe flash
software, folk running Fedora 10 may wish to consider using SELinux to confine browser plugins.
Dan Walsh has previously implemented SELinux lockdown for browser plugins via nspluginwrapper
, as discussed here
. Unfortunately, this has been disabled by default, due to a clash
with the mozplugger
package, which uses nspluginwrapper to launch applications inside the browser.
Personally, I'm happy to have OpenOffice or similar open up in a separate window, using the standard Firefox mechanism for doing so, especially if it means I'm able to keep browser plugin confinement enabled.
Here's what I did:
# yum remove mozplugger
# setsebool -P allow_unconfined_nsplugin_transition=on
# setsebool -P allow_nsplugin_execmem=off
# setsebool -P nsplugin_can_network=off
This of course removes mozplugger, but I don't seem to need it. When downloading a PDF, for example, Firefox prompts if I want to open it with evince, and provides me with an option to always do that without further prompting. YMMV.
commands change several nspluginwrapper options in SELinux, while the -P option ensures that the changes persist across reboots (see setsebool(8)).
allow_unconfined_nsplugin_transition ensures that nspluginwrapper transitions to a new security label when running a plugin, so that special security policy can be applied to it. This is required for any useful effect.
allow_nsplugin_execmem ensures that memory protections are being enforced to prevent plugins from executing code on the stack and in mapped memory.
nsplugin_can_network prevents plugins from connecting to anything other than reserved ports. Apparently, this may upset some flash code which wants to call home (you'd be surprised how much of this goes on, or perhaps not), so you may want to leave this as-is, or at least keep an eye on the messages from setroubleshoot.
Note that if you do run into problems, you can put SELinux into permissive mode rather than disabling it, which will at least provide some useful logging information (and feel free to post questions to the fedora-selinux-list
Btw, here's how to configure SELinux for permissive mode:
System -> Administration -> SELinux Management
Set 'System Default Enforcing Mode' to 'Permissive'
And you're done.
A bugzilla ticket
has been opened on the issue of finding a long-term solution which allows both mozplugger and plugin confinement to co-exist, but unfortunately, users currently need to decide whether they prefer increased security or a more Windows-like experience, with the latter as the default.
Tags: adobe, browser, desktop, fedora, fedora10, firefox, linux, mac, plugins, screenshots, security, selinux, setebool
LCA sVirt talk video online|
Some videos from LCA 2009
have been posted online, per this email
from Mary Gardiner.
The video from my sVirt
(MAC security for Linux virtualization) talk is available as an OGG
file. I've also re-uploaded it as a google video
I'd suggest having a copy of the slides
open when watching, as they're not always shown in the video, and you're definitely better off looking at them than me in any case.
LCA was a genuinely enjoyable conference: laid-back and really well organized, with a good balance of talks. One really great aspect was the way internet access was provided to the accommodation, which at least in my case, worked perfectly, with a microwave link from UTAS connected to the hotel's internal wiring. I often need to work during conferences, and having good network access is probably my top priority in selecting accommodation.
I was glad to be part of the security miniconf
organized by Casey Schaufler, which brought together folk from the kernel security community and various highly technical folk. There were talks from several leading security developers, including Casey (fs capabilities and rootless systems), Russell Coker (standing in for Kaigai Kohei on SE-postgresql and web application MAC), and Kentaro Takeda (TOMOYO). The miniconf concluded with an open panel discussion which was covered by LWN
. For reasons I can't quite recall now, I ended up doing an ad-hoc presentation on Fedora Kiosk Mode
, which I think helped demonstrate some of the progress SELinux has made in terms of usability and extension to general use scenarios.
Also see my flickr photoset
, and a short video
of one of the exhibitions from the Batteries Not Included
art exhibition, which ran as part of the conference.
LCA 2010 will be held in Wellington, New Zealand -- here's an amusing video
by the organizers. I hope to make it there.
Tags: events, fedora, foss, hobart, kernel, lca2009, libvirt, linux, linux.conf.au, lsm, mac, mandatory access control, security, selinux, smack, svirt, tasmania, tomoyo, virtualization
sVirt slides from LCA|
The slides from my LCA
talk on sVirt
talk may be found here
in PDF format.
The talk seemed to go reasonably well, and had a larger audience than I expected given that Tridge and Willy were talking at the same time. A video of the talk should appear online soon.
Tags: events, foss, hobart, kvm, lca, lca2009, libvirt, linux, linux.conf.au, lsm, mac, mandatory access control, security, selinux, smack, svirt, tasmania, virtualization
Security changes in the 2.6.28 kernel|
of the Linux kernel was released during Christmas, so I thought it'd be worthwhile waiting until after typical vacation days to post a summary of changes to the security subsystem. As always, thanks to the Kernel Newbies
folk who track major kernel changes.
- Dummy SELinux policy support
Serge Hallyn added a dummy policy for SELinux to the kernel tree. This is useful for testing SELinux and a base for building minimal and experimental security policies.
- Bouned per-thread security contexts for SELinux
KaiGai Kohei submitted a patch which allows different threads in a process to be labeled with distinct security contexts. Such threads are guaranteed to not exceed the security policy permissions of the parent process. This is part of his work in extending SELinux to the web application stack, and in this case, is aimed at constraining in-process web server scripts (e.g. mod_python applications).
- Labeled networking updates
Paul Moore provided a series of updates to the Labeled networking subsystem, which he promises to document on his blog.
- MAC policy for privilege in Smack
Casey Schaufler extended Smack so that MAC policy may be used to limit the use of privilege. Previously, the Smack model maintained strict orthogonality between privilege and access control, where privileged processes were exempted from MAC policy enforcement. This feature allows for MAC policy enforcement of processes running with specific security label (as written to
/smack/onlycap), or for all processes if the
onlycap label is specified as '*'.
- TPM updates
Rajiv Andrade provided several updates for the TPM driver.
This was not a terribly exciting release for the security subsystem.
Thus far for the 2.6.29 kernel, the main change is the massive credentials API change from David Howells. This has caused a couple of regressions, which were picked up by subsystem testing of Linus' tree. Fixes have been developed and are currently partially merged upstream. It seems we need to get more testing done in linux-next to avoid such breakage during future merge windows.
Also noteworthy is the merge of the pathname security
hooks for LSM, which should pave the way for TOMOYO and AppArmor in 2.6.30, subject to the general patch submission review process. TOMOYO is only a couple of acks from approval, has been baking in -mm, and is pretty much self-contained. It may even appear in 2.6.29 if the merge window is open for features long enough.
Tags: apparmor, kernel, labeled networking, linux, lsm, mac, security, selinux, smack, tomoyo
has certainly changed a lot since I first attended in 2005, where there were several thousand delegates, an expansive talks programme, and a significant commercial presence with a dedicated trade hall. Since then, and particularly following this year's omlette post
, the organizers have been nudging the conference toward an increasingly technical and participatory event.
This year, somewhat following the example of the Plumbers Conference
, the core of FOSS.IN became workout sessions, with fewer traditional conference talks. The aim, according to the organisers, is to provide Indian developers with access to a dedicated technical event similar to the experiences available to FOSS developers in North America and Europe.
Approximately a thousand delegates registered, although I'd estimate that there were typically around three to five hundred people present during the course of the conference. One of the organizers noted that in previous years, the crowd of delegates would change from day to day, reflecting each days programming, but that this year, the crowd was essentially the same throughout.
While there were several standalone talks, this was not an event aimed at a passive audience. From my observations, the main action was found in active participation in workout sessions, BoFs, and ad-hoc hacking gatherings. It seemed that wherever there was a power outlet, you'd find a small group of people gathered with laptops, working on something.
There was a major KDE presence at the conference, although most of my time was spent involved in kernel-related events. I heard that a KDE theme song was composed, performed and recorded at the conference, so I wonder if this may be the first FOSS conf to create and ship a conventional work of art.
Around two weeks before the conference started, the organizers allocated a day to a then yet-to-be-defined Linux Kernel Hacker Gathering
, asking kernel folk to "organize something". Several emails later, with a growing cc: list and finally a small mailing list set up by Harald, a basic outline was determined. A planning meeting was organized for the Monday before the conference at the IBM Bangalore campus. Details of the Kernel Workout
were also finalized there.
The LKHG event started on Friday with a series of talks on various kernel topics by upstream developers, then opened up for a series of lightning talks from delegates, and finished with an open discussion. There weren't as many lightning talks as were hoped for, which was not unreasonable given the excessively short lead-time for the CfP. For this to work better in the future, I'd suggest having a much longer lead-time, and more publicity aimed specifically at kernel developers working outside of the upstream process, to engage such folk with the wider community. There were still some very good discussions around the relatively few lightning talks, in any case.
The kernel workout session was then held the following and final day. It appeared to succeed beyond expectations, largely due to the planning which happened in the few available days beforehand. Getting the word out on the prerequisites was critical. In this case, to participate, you had to be ready to hit the ground running with an already checked-out source tree on your laptop, which you knew how to build and run. Following that, it was a matter of choosing something from the set of tasks selected by the organizers, and asking for help from mentors if needed. There was also a preparatory session before the workout for people to get set up, although I missed that as I was giving a different talk at the time. Many of the major upstream Indian kernel hackers were there as mentors, so it was definitely the place to be to really get into things.
The results of the workout have been published on the workout wiki
. As of writing, several patches from the workout have now been accepted into the kernel. Some were already posted and receiving review before the end of the workout.
Earlier that day, I gave a talk on Fedora Kiosk Mode
. It's useful now to have a high-level application such as this to demonstrate an application of modern MAC security. Thus far, it's been difficult to communicate the benefits of generalized MAC in theoretical terms. It's clear from the example of Kiosk Mode that MAC does not need to be complicated if abstracted correctly, and that it can provide desirable and useful benefits to everyday users. There's a lot more to come in this area, too.
A particular highlight of the conference was the closing keynote by Kalyan Varma
, which turned out to be probably the best talk I've ever seen on any topic. I knew it was something to do with photography, but I had no idea what was in store: a linking of ideas as diverse as FOSS community principles; amusing security hacking demonstrations; photographing new species; having your work exhibited at the London School of Economics; working with the BBC and David Attenborough; getting a cheque from the makers of Snakes on a Plane
for using one of your Creative Commons flickr photos; and what this all has to do with drinking tea and saving the environment. Harald has also written about the talk
. I hope the video of the talk is published online soon, and I really wouldn't be surprised to see Kalyan presenting it at TED
Overall, I greatly enjoyed the conference, and feel that I'd generally prefer to attend these kinds of working conferences in the future. Given the overheads involved in travel (productivity hits in particular), the traditional "famous people get up and talk about how great they are" talk-based conferences are decreasingly compelling. It's great to meet up with folk I've been working with online, but even greater to do so in the context of getting useful development-related tasks done.
A huge thanks to the team
for letting me be part of this amazing event. There was certainly no shortage of challenges for them this year, and they ensured that everyone who put something into the conference got a lot more back out.
Tags: bangalore, developers, events, foss.in, india, kde, kernel, linux, mac, security, selinux, snakes on a plane
Upcoming conference talks on SELinux applications: sVirt and Kiosk Mode|
Recently, I've been busy getting the initial cut of sVirt
out, and am currently processing community feedback before issuing an update. The basic idea behind sVirt is to apply MAC label security (SELinux, Smack etc.) to Linux-based virtualization schemes such as KVM
, allowing the existing OS-level security mechanisms to be re-used for process-based VMs. This is an application one of the core advantages of Linux-based virtualization, where generally, all of the Linux process management infrastructure within the kernel and wider OS may be applied to domains which run inside Linux processes. So, for MAC label security in this case, we don't need to do anything in terms of modifying kernel security mechanisms, and simply modify security policy as desired. We can focus on developing the appropriate high-level abstractions (e.g. management tool support) rather than developing a new security mechanism.
How can this be useful? In the simplest case, we can increase isolation between virtual machines by assigning them different security labels, and enforcing a MAC policy which prevents them from interacting. This helps ameliorate the increased risk arising from running domains on the same hardware where previously they may have been physically separated on different machines. This is just a start. There are plenty of interesting things which can be done once the core functionality is in place, although the initial idea is to simply provide stronger isolation to better protect domains from each other.
At an architectural level, security labeling support is being added to libvirt
, a virtualization API which abstracts various aspects of virtualization including different hypervisor types, storage, networking, and with sVirt: MAC security. With sVirt integrated at the API level, security labeling support can be integrated into high-level tools via standardized and flexible abstractions. For example, when creating a new domain, the graphical virt-manager tool may include a checkbox to designate the domain as "isolated"—or perhaps just do it by default for true zeroconf.
I'll be introducing sVirt more completely at LCA
next January, so if you're marching south and have interests in both security and virtualization, it might be worth popping in. I'm up against Tridge in the timeslot, so it might be an intimate session.
Next week, I'll be giving a talk on Fedora Kiosk Mode
at Malaysia's inaugural developer conference, FOSS.MY
. Kiosk Mode is another high-level MAC security application, where anonymous users can safely access desktop sessions and browse the internet. If you have the
package installed, it Just Works, as people are starting to notice
I've been shortlisted on the same topic at the revamped FOSS.IN
a few weeks later. There's also been some discussion of a kernel development workout session, in which I'd love to participate, although it's not yet short-listed. There's also the FUDCon
attached to FOSS.IN. We're hoping to have a Fedora box there running Kiosk Mode for people to play with.
Tags: bangalore, developers, events, fedora, foss.in, foss.my, fudcon, india, kuala lumpur, kvm, linux, mac, malaysia, security, selinux, svirt, virtualization
[<< Previous 10 entries]