User: Password:
|
|
Subscribe / Log in / New account

All VMs run as the same user...

All VMs run as the same user...

Posted Sep 24, 2009 17:44 UTC (Thu) by smoogen (subscriber, #97)
In reply to: All VMs run as the same user... by epa
Parent article: LinuxCon: Secure virtualization with sVirt

I believe (and this is a weak belief from too little research) that most VM's have to run with root priveledges at some place in their structure (this is to get use of the hypervisor CPU accelerations). Most of the people I know who are researching 'escapes' usually find the way out of the VM cage is in those areas.. thus the breakout has root access already.

The aim is with any of the security mechanisms is to limit what that root can do.


(Log in to post comments)

All VMs run as the same user...

Posted Sep 25, 2009 11:29 UTC (Fri) by rwmj (subscriber, #5474) [Link]

You can chmod 0666 /dev/kvm if you want to run KVM as non-root with hardware acceleration. (I
run it like this all the time).

The ability to run KVM processes as non-root is something that is to be added to libvirt in the near
future.

All VMs run as the same user...

Posted Sep 25, 2009 20:10 UTC (Fri) by lutchann (✭ supporter ✭, #8872) [Link]

In addition to using one UID per KVM instance, use the new native container features in Linux to put each KVM into its own container. With an extremely limited view of the filesystem, namespaced process tables and IPC, an empty capabilities bounding set and appropriate iptables OUTPUT rules, breaking out of the VM into the KVM process does an attacker no good. No SELinux necessary.

With such a setup, the only thing you have to pray for is that there are no vulnerabilities that allow a guest VM to break into the host's ring 0. Unfortunately, such bugs have already been discovered in Xen.

(I can share my C wrapper for containerizing KVM if anybody's interested. Post a followup to this comment and I'll tar it up and post it somewhere.)

All VMs run as the same user...

Posted Sep 27, 2009 10:22 UTC (Sun) by nix (subscriber, #2304) [Link]

That would be extremely interesting, thanks. (I didn't realise the
namespaces stuff was at a usable state yet, but I haven't been paying much
attention to it.)

All VMs run as the same user...

Posted Sep 25, 2009 20:19 UTC (Fri) by smoogen (subscriber, #97) [Link]

Would not those permissions still allow for any process to look at another one through the device?

All VMs run as the same user...

Posted Sep 26, 2009 6:22 UTC (Sat) by Cato (subscriber, #7643) [Link]

Worse than that, presumably anyone wanting to write to kernel data structures can just write to /dev/kvm.

All VMs run as the same user...

Posted Sep 26, 2009 7:19 UTC (Sat) by rwmj (subscriber, #5474) [Link]

It's a good question. I talked to Gleb and Avi about this a few months back, and I came away with
the impression that it was safe. _However_ rereading their responses this morning, I'm now not so
sure it provides isolation between users who have VMs on the same system, so I guess I'm going to
have to dig into the code and check it myself.

Rich.

All VMs run as the same user...

Posted Sep 26, 2009 9:04 UTC (Sat) by avik (guest, #704) [Link]

It's safe. Access to /dev/kvm doesn't give any access to other virtual machines.

Of course, if a process has access to another process (via kill(2) or ptrace(2)) it can affect or access data belonging to that process. So if you run all virtual machines as the same user, you need to further isolate them. I believe sVirt does that with its random selinux contexts. but I'm no selinux expert.

All VMs run as the same user...

Posted Sep 26, 2009 10:17 UTC (Sat) by rwmj (subscriber, #5474) [Link]

There you have it. Thanks Avi :-)

All VMs run as the same user...

Posted Sep 28, 2009 17:35 UTC (Mon) by danpb (subscriber, #4831) [Link]

The ability to run KVM as non-root is already in libvirt. In Fedora 12 all 'qemu:///system' connections run VMs under a dedicated 'qemu' user account, while 'qemu:///session' connections run VMs under the UID of the user using that connection.

Also in Fedora 12, /dev/kvm has mode 0666 out of the box, allowing qemu:///session uses to use KVM acceleration.

The libvirt security architecture that deals with sVirt is modular allowing arbitrary security plugins. The Ubuntu devs have got an impl using AppArmour. It would also be possible to write an impl that ran each VM as a unique user ID.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds