[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [Qemu-devel] [RFC] Adding new filesystem 'proxy' to 9p



"Daniel P. Berrange" <berrange redhat com> writes:

> On Thu, Sep 29, 2011 at 11:42:47PM +0530, M. Mohan Kumar wrote:
>> On Wednesday, September 28, 2011 08:29:06 PM Daniel P. Berrange wrote:
[...]
>> > If we assume that QEMU gets exploited, and that QEMU can find some flaw
>> > in the proxy_helper that it can exploit, what damage can the proxy_helper
>> > do ?  Clearly we want it to not be able to read/write any files other
>> > than those exported, even when it becomes compromised, ideally also
>> > without requiring SELinux/AppArmour to make it safe. If proxy_helper
>> > is running as root with full capabilities, it can trivially escape
>> > the chroot[1], so this isn't all that nice for overall system security.
>>
>> When proxy helper process is forked, its made sure that all open file 
>> descriptor are closed except the socket descriptor, so that proxy helper can't 
>> escape chroot jail.
>
> Unfortunately that is not sufficient. Even if you have closed all
> file descriptors except the socket, you can still escape the chroot
> jail. There is a nice demo program for escaping from a chroot on
> this webpage:
>
>   http://www.bpfh.net/simes/computing/chroot-break.html
[...]
> Basically if the process inside the chroot, is still running as
> root, then it is not securely contained.

As Alan Cox observed, "chroot is not and never has been a security
tool."  It's a tool to configure the root of absolute path names.

[...]


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]