Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making the LSM available to containers FOSDEM18

Published byAshlie Letitia Tucker Modified over 5 years ago

Similar presentations

Presentation on theme: "Making the LSM available to containers FOSDEM18"— Presentation transcript:

1 Making the LSM available to containers FOSDEM18
Presentation by John Johansen February 2018

2 Linux Security Modules (LSM)
Provide Security - Often MAC but not necessarily Kernel provides security Hooks Security field in various objects selinux, smack, apparmor, tomoyo, IMA/EVM, loadpin, yama proposed: LSMs: LandLock, CaitSith, Checmate, HardChroot, PTAGS, SimpleFlow, SafeName, WhiteEgret, shebang, S.A.R.A. - what is the LSM - an infrastructure to provide security in linux - lots of none MAC LSMs

3 The LSM is not namespaced And doesn’t want to be
Problem The LSM is not namespaced And doesn’t want to be Container gets system LSM System Container - can’t change LSM - can’t change policy/rules - effectively boot no LSM App Container - can’t carry an LSM policy - eg. snappy fedora/RHEL – selinux ubuntu/suse - apparmor

4 The LSM is not namespaced and doesn’t want to be
Problem The LSM is not namespaced and doesn’t want to be - at least not in the traditional sense - its keeping the system safe by restricting what the container can do to the system - not every LSM has the same reqs system vs. app confinement… - container system must work with it - any “namespacing” must apply system rules

5 Have multiple LSMs enforcing at the same time
LSM Stacking Have multiple LSMs enforcing at the same time So how do we fix - Seems simple enough

6 Have multiple LSMs enforcing at the same time
LSM Stacking Have multiple LSMs enforcing at the same time Minor LSM stacking merge in 4.2 And the kernel already supports stacking! - limitations only 1 major LSM - major = store state in security blob Can have - selinux + yama Or - smack + yama - apparmor + yama But not Selinux and Smack ...

7 Have multiple LSMs enforcing at the same time
LSM Stacking Have multiple LSMs enforcing at the same time Minor LSM stacking merge in 4.2 Major LSM stacking Move security blob management into the infrastructure Casey Schaufler has been working on improving stacking - move security blobs into the infrastructure - get rid of the major/minor distinction

8 Problem Its not that simple Container gets system LSM System Container
- can’t change LSM - can’t change policy/rules - effectively boot no LSM App Container - can’t carry an LSM policy - eg. snappy fedora/RHEL – selinux ubuntu/suse - apparmor

9 Kernel infrastructure not designed for sharing
More Problems Kernel infrastructure not designed for sharing LSM infrastructure isn’t the only problem

10 Virtualize – per task default LSM
More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Fix Virtualize – per task default LSM - each task gets marked with a default LSM, to virtualize legacy interfaces - inherited from parent

11 Kernel infrastructure not designed for sharing
More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Fix Virtualize – per task default LSM Interface to set default LSM - add interface to control default LSM - also

12 Kernel infrastructure not designed for sharing
More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Fix Virtualize – per task default LSM Interface to set default LSM New versions of interfaces /proc/pid/attr/apparmor/* /proc/pid/attr/smack/* - new versions of interfaces - tools and libs need to be updated to use them -libapparmor -libselinux - ps -Z

13 Kernel infrastructure not designed for sharing
More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Networking secids Fix Virtualize – per task default LSM Interface to set default LSM New versions of interfaces /proc/pid/attr/apparmor/* /proc/pid/attr/smack/* Dynamically compose & remap - Networking area of active development/refinement - 32 bit number to carry security info – network subsystem – audit subsystem. – global – part of some LSMs policy (# exposed to userspace) – can’t get a pointer LSM infrastructure dynamically - remap and compose - system number → per LSM module number LIFE TIME issue

14 Kernel infrastructure not designed for sharing
More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Networking secids secmark Fix Virtualize – per task default LSM Interface to set default LSM New versions of interfaces /proc/pid/attr/apparmor/* /proc/pid/attr/smack/* Dynamically compose & remap Extend to support multiple LSMs - secmarks visible to iptables - secmark can only carry 1 LSM type - need to support stack of types - need to define what rules should be

15 Kernel infrastructure not designed for sharing
More Problems Kernel infrastructure not designed for sharing Problem Userspace Interfaces /proc/pid/attr/* SO_PEERSEC Networking secids secmark Netlabel cipso/calypso/xfrm Fix Virtualize – per task default LSM Interface to set default LSM New versions of interfaces /proc/pid/attr/apparmor/* /proc/pid/attr/smack/* Dynamically compose & remap Extend to support multiple LSMs ? - not designed for this - may have to be limited to one LSM - or only if all LSMs request the same label

16 LSM stacking is not namespacing
But... LSM stacking is not namespacing - LSM stacking designed to support multiple LSMs on host system - not how containers want to use it

17 Current Situation with Stacking
apparmor container selinux smack - all LSMs in use need to be set at boot - containers still don’t get to set their LSM - eg. fedora or policy in the container

18 Even Worse - LSMs aren’t namespaced yet
IMA Discussing namespacing Patch to ns IMA audit Smack patches to label namespaces Per process rules SeLinux Discussing/Designing namespacing Patches to refactor/remove global state Audit wip to support namespaces Layering issues AppArmor Policy namespaces Virtualized interfaces Internal stacking - LSMs aren’t namespaced yet - the exception is apparmor within limits - namespacing issues - LXD can do apparmor system within apparmor system without LSM stacking patches

19 More Infastructure Problems
LSM needs to be update Security blob for namespaces New hooks around interfaces Attributes (ie. xattrs) need to be namespaced Interface to setup an LSM namespace No consensus on what it means to be a container LSM infrastructure isn’t the only problem

20 Leveraging LSM stacking
Remember the Default LSM?

21 Leveraging LSM stacking
Remember the Default LSM? LSM stacking can call a Module multiple times extend to per task LSM namespace is a visible subset of stack module that needs to be setup from boot, can be hidden revealed only when added to stack Needs an interface Container Needs to setup the LSM namespace Additional LSM specific setup labeling mounts that are mapped in - namespacing the LSM can be done as a thin veneer

22 Casey Schaufler – LSM Stacking
Special thanks Casey Schaufler – LSM Stacking AppArmor team IMA team Smack team Selinux team LXD team - this isn’t just the work of one individual - Casey for persistences

23 Questions please Thank you
stacking stacking John Johansen

Download ppt "Making the LSM available to containers FOSDEM18"

Similar presentations

The Simplified Mandatory Access Control Kernel

The Simplified Mandatory Access Control Kernel
Lightweight virtual system mechanism Gao feng

Lightweight virtual system mechanism Gao feng
Performance Evaluation of Open Virtual Routers M.Siraj Rathore

Performance Evaluation of Open Virtual Routers M.Siraj Rathore
Ethernet and switches selected topics 1. Agenda Scaling ethernet infrastructure VLANs 2.

Ethernet and switches selected topics 1. Agenda Scaling ethernet infrastructure VLANs 2.
Chapter 9 Building a Secure Operating System for Linux.

Chapter 9 Building a Secure Operating System for Linux.
Q and A, Ch. 21 IS333, Spring 2015 Victor Norman.

Q and A, Ch. 21 IS333, Spring 2015 Victor Norman.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Troubleshooting Guide for Network Hard Disk. Model - NH-200.

Troubleshooting Guide for Network Hard Disk. Model - NH-200.
Secure Operating Systems

Secure Operating Systems
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/
Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:

Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
Design and Implementation of a Multi-Channel Multi-Interface Network Chandrakanth Chereddi Pradeep Kyasanur Nitin H. Vaidya University of Illinois at Urbana-Champaign.

Design and Implementation of a Multi-Channel Multi-Interface Network Chandrakanth Chereddi Pradeep Kyasanur Nitin H. Vaidya University of Illinois at Urbana-Champaign.
…using Git/Tortoise Git

…using Git/Tortoise Git
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.

Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.
Example: object diagram for Scheduler, v0.0.0. What is wrong with this diagram? Seems like a lot of similarity between Task and UnplannedTask Can use.

Example: object diagram for Scheduler, v What is wrong with this diagram? Seems like a lot of similarity between Task and UnplannedTask Can use.
® A Proposed UML Profile For EXPRESS David Price Seattle ISO STEP Meeting October 2004.

® A Proposed UML Profile For EXPRESS David Price Seattle ISO STEP Meeting October 2004.
David Orchard W3C Lead BEA Systems Web service and XML Extensibility and Versioning.

David Orchard W3C Lead BEA Systems Web service and XML Extensibility and Versioning.

Similar presentations

Ads by Google