17:14:57 <smooge> #startmeeting
17:14:57 <zodbot> Meeting started Sat Dec  5 17:14:57 2009 UTC.  The chair is smooge. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:14:57 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
17:15:24 <smooge> Dan Walsh's talk on virtualization
17:15:53 <smooge> He went over virtualization is and what is selinux
17:16:16 <smooge> The RHEL-5 xen had an actual attack that went past selinux because of how the policy was written
17:16:46 <smooge> it was written that way due to limitations to deal with direct hardware
17:17:01 <smooge> on getting past that the xen attacks were available.
17:18:29 <smooge> clint savage just came in to say that nothing has been recorded due to bad mike.
17:18:30 <smooge> fixed
17:19:15 <smooge> ok standard virtualization attack:  browser -> local os -> virtualizer -> every virtual system
17:19:29 <smooge> so if you have a cloud system where you have lots of different companies on the clusters..
17:19:42 <smooge> who protects pepsi from looking at coke if they end up on the same box
17:20:15 <smooge> enter selinux with its ability to labeling things on kvm
17:21:05 <smooge> kvm policy does not trust any qemu processes. it keeps things from P-colored sugar water from talking to C-colored sugar water vm
17:21:25 <smooge> mandatory access control puts it down further.
17:22:09 <smooge> libvirt does dynamic labeling through random unused MCS label
17:23:42 <smooge> depending on what the virtual machine is set up... each qemu only can do what its allowed to (eg unless you have shared /home on KVM-host you cant get to it from qemu-A
17:25:36 <smooge> we now go over the MLS labeling (or MCS in RHEL-5) so we can have top-secret and secret on the same box and not talk to each other unless allowed through special rules).
17:26:17 <smooge> except due to long story (see selinux lists) MCS wasn't really used in RHEL-5.. but its perfect for libvirt so it gets used finally
17:30:08 <smooge> MCS doesn't work in DOD environments due to rules needing MLS and no relabeling allowed
17:31:30 <smooge> question about security and common criteria rules.
17:32:25 <smooge> MLS environment labels are static with Top_Secret/Secret/Classified
17:34:15 <smooge> kvm asks how should it be labeled.. in MCS environment its random unused label.  in MLS the administrator needs to set up preset rules *British TS talks to Australian S to US something else.
17:34:43 <smooge> future ideas will be to confine a Windows 2003 box to only run as an ISS server
17:36:51 <smooge> question: could selinux look inside the virtual machine? answer no
17:37:17 <smooge> selinux can see the ports that th evirtual opens but doesn't know what its running
17:38:26 <smooge> dan says that he would prefer iptables being the solution on the kvm host, but it can be done through selinux if policy etc needs it (and can be done now)
17:40:21 <smooge> the mcs label is generated off of multiple numbers from 0-1024 but can have limits from that they can't be the same number etc.
17:41:53 <smooge> shows a demo of labeling
17:42:37 <smooge> and is going into sandboxing which is related.
17:42:57 <smooge> sandbox means execing a process, some file descriptors and nothing else
17:43:52 <smooge> macos-x offered this last year? as an OS level thing.. which pushed people to ask "hey can we do this in linux"
17:44:20 <smooge> which got Dan to saying sure.. could have done that right now... and wrote sandbox to show it could be done
17:44:59 <smooge> say :  cat /etc/passwd | sandbox grep foo
17:45:22 <smooge> and grep has a problem that somehow causes /etc/passwd to rewrite /dev/sda :)
17:45:44 <smooge> so he got it working and the first question was "How can you do this with acroread?"
17:46:50 <smooge> and so started a long rabbit hole of ways acroread which is basically uncontainable because it needs to talk to dbus, printers, /tmp, home directories, X, fonts etc etc
17:47:33 <smooge> and we got a selinux warning him running a sandbox that was questionable
17:48:08 <smooge> sandbox xterm
17:48:29 <smooge> /usr/bin/xterm Xt error: Can't open display: :0.0
17:49:07 <smooge> add some stuff to get X working and then you get a directory that is mktempd with  bare minimal files to get stuff working
17:50:27 <smooge> you can't look at all the procsses, you can't talk with your normal namespace to get to your home directory.
17:50:47 <smooge> then an example of getting acroread/evince to be sandbox'd
17:52:27 <smooge> he only uses sandboxs to look at pdfs now.. it can talk with printers and fonts.
17:53:07 <smooge> there is a blog entry to get it working for you
17:53:24 <smooge> he then went over bugs... like zephyr resize bug
17:54:48 <smooge> as each sandbox runs its inside of its own X server to lock it down further.
17:59:29 <smooge> #endmeeting