LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Announcements
->One big page
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SecurityLSS: Secure Linux containersWhile the Linux Security Summit (LSS) was held later in the week, it was logically part of the minisummits that accompanied the Kernel Summit—organizer James Morris made a forward-reference report on LSS as part of the minisummit reports. Day one was filled with talks on various topics of interest to the assembled security developers, while day two was mostly devoted to reports from the kernel security subsystems. We plan to write up much of LSS over the coming weeks; the first installment covers a talk given by SELinux developer Dan Walsh on secure Linux containers. ![['Secure' container]](/images/2012/lss-secure-slide-sm.jpg)
Walsh's opening slide had a picture of a "secure" Linux container (label seen at right)—a plastic "unix ware" storage container—but his talk was a tad more serious. Application sandboxes are becoming more common for isolating general-purpose applications from each other. There are a variety of Linux tools that can be used to create sandboxes, including seccomp, SELinux, the Java virtual machine, and virtualization. The idea behind sandboxing is the age-old concept of "defense in depth". There is another mechanism that can be used to isolate applications: containers. When most people think of containers, they think of LXC, which is a command-line tool created by IBM. But, the Linux kernel knows nothing about containers, per se, and LXC is built atop Linux namespaces. The secure containers project did not use LXC directly; instead it uses libvirt-lxc. ![[Dan Walsh]](/images/2012/lss-walsh-sm.jpg)
Using namespaces, child processes can have an entirely different view of the system than does the parent. Namespaces are not all that new, RHEL5 and Fedora 6 used the pam_namespace to partition logins into "secret" vs. "top secret" for example. The SELinux sandbox also used namespaces and was available in RHEL6 and Fedora 8. More recently, Fedora 17 uses systemd which has PrivateTmp and PrivateNetwork directives for unit files that can be used to give services their own view of /tmp or the network. There are 20-30 services in Fedora 17 that are running with their own /tmp, Walsh said. In addition, Red Hat offers the OpenShift service which allows anyone to have their own Apache webserver for free on Red Hat servers. It is meant to remove the management aspect so that developers can concentrate on developing web applications that can eventually be deployed elsewhere. Since there are many different Apache instances running on the OpenShift servers, sandboxing is used to keep them from interfering with each other. There are several different kinds of namespaces in Linux. The mount namespace gives processes their own view of the filesystem, while the PID namespace gives them their own set of process IDs. The IPC and Network namespaces allow for private views of those resources, and the UTS namespace allows the processes to have their own host and domain names. The UID namespace is another that is not yet available, and one that concerns Walsh because of its intrusiveness. It would give a private set of UIDs, such that UID 0 inside of the namespace is not the same as root outside. Secure Linux containers uses libvirt-lxc to set up namespaces that effectively create containers to hold processes that are isolated from those in other containers. Libvirt-lxc has a C API, but also has bindings for several different higher-level languages. It can set up a container, with a firewall, SELinux type enforcement (TE) and multi-category security (MCS), bind mounts that pass through to the host filesystem, and so on. Once that is done, it can start an init process (systemd in this case) inside the container so that it appears to be almost a full Linux system inside the container. In addition, these containers can be managed using control groups (cgroups) so that no one container can monopolize resources like memory or CPU. But, libvirt-lxc has a complex API that is XML-based. Walsh wanted something simpler, so he created libvirt-sandbox with a key-value based configuration. He intends to replace the SELinux sandbox using libvirt-sandbox, but it is not quite ready for that yet. To make things even easier, Walsh created a Python script that makes it "dirt simple" for an administrator to build a container or set of containers. He said that Red Hat is famous for building "cool tools that no one uses" because they are too complicated, so he set out to make something very simple to use. The tool can be used as follows:
virt-sandbox-service create -C -u httpd.service.apache1
That call will do multiple things under the covers. It creates a systemd
unit file for the container, which means that standard systemd commands can
be used to manage it. In addition, if someone puts a GUI on systemd
someday, administrators can use that to manage their containers, he said.
It also
creates the filesystems for the container. It does not use a full
chroot(), Walsh said, because he wants to be able to share
/usr between containers. For this use case (an Apache web server
container), he wants the individual containers to pick up any updates that
come from doing a yum update on the host.
It also clones the /var and /etc configuration files into its own copy. In a perfect world, the container would bind mount over /etc, but it can't do that, partly because /etc has so many needed configuration files ("/etc is a cesspool of garbage" was his colorful way of describing that). In addition, it allocates a unique SELinux MCS label that restricts the processes inside the container. "Containers are not for security", he said, because root inside the container can always escape, so the container gets wrapped in SELinux to restrict it. Once the container has been created, it can be started with:
virt-sandbox-service start apache1
Similarly, the stop command can terminate the container. One can
also use the connect command to get a shell in the container.
virt-sandbox-service execute -C ifconfig apache1
will run a command in the container. For example, there is no
separate cron running in each of the containers, instead the
execute is used to do things like logrotate from the
host's cron.
The systemd unit file that gets created can start and stop multiple container instances with a single command. Beyond that, using the ReloadPropagatedFrom directive in the unit file will allow an update of the host's apache package to restart all of the servers in the containers. So:
systemctl reload httpd.service
will trigger a reload in all container instances, while:
systemctl start http@.service
will start up all such services (which means all of the defined containers).
This is all recent work, Walsh said. It works "relatively well", but still needs work. There are other use cases for these containers, beyond just the OpenShift-like example he used. For instance, the Fedora project uses Mock to build packages, and Mock runs as root. That means there are some 3000 Fedora packagers who could do "bad stuff" on the build systems, so putting Mock into a secure container would provide better security. Another possibility would be to run customer processes (e.g. Hadoop) on a GlusterFS node. Another service that Walsh has containerized is MySQL, and more are possible. Walsh demonstrated virt-sandbox-service at the end of his talk. He demonstrated some of the differences inside and outside of the container, including a surprising answer to getenforce inside the container. It reports that SELinux is disabled, but that is a lie, he said, to stop various scripts from trying to do SELinux things within the container. In addition, he showed that the eth0 device inside the container did not even appear in the host's ifconfig output (nor, of course, did the host's wlan0 appear in the container). A number of steps have been taken to try to prevent root from breaking out of the container, but there is more to be done. Both mount and mknod will fail inside the container for example. These containers are not as secure as full virtualization, Walsh said, but they are much easier to manage than handling the multiple full operating systems that virtualization requires. For many use cases, secure containers may be the right fit.
Brief items Security quotes of the week
Very unfortunately at 7:43 p.m. Pacific time, the channel was automatically banned in the middle of an acceptance speech by author Neil Gaiman due to “copyright infringement.” This occurred because our 3rd party automated infringement system, Vobile, detected content in the stream that it deemed to be copyrighted. Vobile is a system that rights holders upload their content for review on many video sites around the web. The video clips shown prior to Neil’s speech automatically triggered the 3rd party system at the behest of the copyright holder.
-- Brad
Hunstable explains why Ustream stopped showing the live stream of the
Hugo Awards
Our editorial team and content monitors almost immediately noticed a flood of livid Twitter messages about the ban and attempted to restore the broadcast. Unfortunately, we were not able to lift the ban before the broadcast ended. We had many unhappy viewers as a result, and for that I am truly sorry. As a long-time Firefly, Stargate and Game of Thrones fan among others, I am especially disheartened by this.
Here's an example of what has happened to me (and many other people). I uploaded a video of mine that included a segment of old, definitely public domain material. Shortly thereafter, my entire vid was flagged by YouTube's Content ID. Why? It took some digging to figure out, but it turns out a Content ID partner had uploaded a video of their own that happened to include a section of the same public domain material I had used. This apparently made it look like my video was infringing, since Content ID assumed the section of my vid that matched their vid was in violation. Wrong! But Content ID partners get the assumption of being correct, and there's no way for an average user to assert that something is public domain a priori. I was able to get this reversed by careful explanation on the appropriate forms, but I wonder how many people would just throw up their arms and say, "To hell with it!" and not bother?
-- Lauren
Weinstein
The new Java 0Day examined (The H)Here's an article in The H explaining how the latest (still unpatched, apparently known to Oracle since April) Java vulnerability works. "Oracle has not yet released an official statement concerning the critical vulnerability. At this article's time of publication, the company still offered Java version 7 update 6 to download; like all older series 7 versions, this release is vulnerable to attacks via the vector described above. Users who have a vulnerable version installed on their systems are advised to disable the browser plugin that provides Java support."
Oracle patches critical Java bugs used to commandeer computers (ars technica)Ars technica reports that Oracle has issued an update for critical vulnerabilities in Java. "The vulnerabilities addressed in the update include those designated as CVE-2012-4681. Among those Oracle credited was Adam Gowdiak of Poland-based Security Explorations, who said he alerted Oracle engineers to the vulnerabilities in April. A brief analysis of the patch by the Immunity security firm found that at least two other vulnerabilities are fixed as well. A post on Oracle's security blog said the patch addressed three "distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers." The flaws also included CVE-2012-1682, and CVE-2012-3136."
New vulnerabilities bugzilla: LDAP data injection
fetchmail: denial of service
gimp: multiple vulnerabilities
gnome-keyring: improper caching of passwords/passphrase
jabberd: domain spoofing
java: multiple vulnerabilities
java: multiple vulnerabilities
keystone: multiple vulnerabilities
mariadb: unspecified vulnerability
mesa: code execution
moin: privilege escalation
ocaml-xml-light: denial of service
otrs2: cross-site scripting
qemu-kvm: privilege escalation
quota: bypass TCP Wrappers rules
rtfm: cross-site scripting
tor: multiple vulnerabilities
typo3-src: multiple vulnerabilities
wireshark: multiple vulnerabilities
zabbix: SQL injection
Page editor: Jake Edge |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||