Re: [RFC] Virtualization steps

On Thu, 2006-03-30 at 08:32 -0600, Serge E. Hallyn wrote:
> Frankly I thought, and am still not unconvinced, that containers owned
> by someone other than the system owner would/should never want to load
> their own LSMs, so that this wasn't a problem.  Isolation, as Chris has
> mentioned, would be taken care of by the very nature of namespaces.
> 
> There are of course two alternatives...  First, we might want to allow the
> machine admin to insert per-container/per-namespace LSMs.    To support
> this case, we would need a way for the admin to tag a container some way
> identifying it as being subject to a particular set of security_ops.  
> 
> Second, we might want container admins to insert LSMs.  In addition to
> a straightforward way of tagging subjects/objects with their container,
> we'd need to implement at least permissions for "may insert global LSM",
> "may insert container LSM", and "may not insert any LSM."  This might be
> sufficient if we trust userspace to always create full containers.
> Otherwise we might want to support meta-policy along the lines of "may
> authorize ptrace and mount hooks only", or even "not subject to the
> global inode_permission hook, and may create its own."  (yuck)
> 
> But so much of this depends on how the namespaces/containers end up
> being implemented...

FWIW, SELinux now has a notion of a type hierarchy in its policy, so the
root admin can carve out a portion of the policy space and allow less
privileged admins to then define sub-types that are strictly constrained
by what was allowed to the parent type by the root admin.  This is
handled in userspace, with the policy mediation performed by a userspace
agent (daemon, policy management server), which then becomes the focal
point for all policy loading.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [RFC] Virtualization steps
    • From: Chris Wright <[email protected]>
  • Re: [RFC] Virtualization steps
    • From: "Serge E. Hallyn" <[email protected]>

• References:
  • Re: [RFC] Virtualization steps
    • From: Nick Piggin <[email protected]>
  • Re: [RFC] Virtualization steps
    • From: [email protected] (Eric W. Biederman)
  • Re: [RFC] Virtualization steps
    • From: Sam Vilain <[email protected]>
  • Re: [RFC] Virtualization steps
    • From: Chris Wright <[email protected]>
  • Re: [RFC] Virtualization steps
    • From: Sam Vilain <[email protected]>
  • Re: [RFC] Virtualization steps
    • From: Chris Wright <[email protected]>
  • Re: [RFC] Virtualization steps
    • From: [email protected] (Eric W. Biederman)
  • Re: [RFC] Virtualization steps
    • From: Chris Wright <[email protected]>
  • Re: [RFC] Virtualization steps
    • From: David Lang <[email protected]>
  • Re: [RFC] Virtualization steps
    • From: Chris Wright <[email protected]>
  • Re: [RFC] Virtualization steps
    • From: "Serge E. Hallyn" <[email protected]>

• Prev by Date: Re: Correction: 2.6.16-git12 killed networking -- 3c900 card
• Next by Date: Re: [Patch 3/8] cpu delays
• Previous by thread: Re: [RFC] Virtualization steps
• Next by thread: Re: [RFC] Virtualization steps
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]