sVirt (MAC security for Linux Virtualization), which I’ve previously discussed here, and formally presented at LCA in January, was released today as an integral part of virtualization in Fedora 11.

If you’d like to give it a spin, simply download and install Fedora and use the GUI admin tools to create a new virtual machine.

Thanks again to Dan Walsh, Dan Berrange and all the developers who helped with input and the heavy lifting work of completing the userland code. It still amazes me how fast things move in FOSS.

As mentioned in my last+1 post, Dan W will be talking on this topic at the upcoming LinuxCon.

Further developments in this area are already underway, and you can expect to hear about them in the coming months—see the talk slides for possible hints.

Dan Walsh recently introduced SELinux sandbox. This is a mechanism for launching untrusted applications from the command line, which uses a strict MAC policy to isolate the executed application from the rest of the system. There’s been a good discussion of the topic LWN, and I thought it might be worth highlighting a few points.

Firstly, this sandboxing scheme is not a separate package. It’s an addition to the standard SELinux security policy to define the sandboxed domain (sandbox_t) coupled with a script to set up the environment and launch applications in the sandboxed domain.

The idea for this came out of a few emails following a recent discussion about extending seccomp for more generalized sandboxing. Essentially, the question was asked "what can we do with SELinux and simple sandboxing?", and the result is now available in Fedora development. If you update to the latest policycoreutils and selinux-policy packages, it should simply be there ready to go.

The security policy for the sandbox_t domain is designed to provide the sandboxed application with only the absolute minimum set of permissions required to run. It can load shared libraries, for example, although a future refinement could provide an option to run only static binaries. It cannot interact in an ad-hoc manner with the rest of the system. A scratch tmpfs filesystem may be optionally mounted for the application if required, and unique MCS labels are used to separate sandboxes from each other. Another future refinement will likely include launching sandboxes in private namespaces.


# sandbox id -Z
unconfined_u:unconfined_r:sandbox_t:s0:c226,c674


The above shows how the id command launched via the new sandbox utility is running in the sandbox_t domain, with MCS categories c226 and c674. The values of these don’t matter, as long as they’re unique on the system.

As root (and note that this is not designed to be run as root, but for demonstration purposes it helps to show the confinement of privileges if they exist), you can’t do anything special via sandbox:

# sandbox cat /etc/shadow
/bin/cat: /etc/shadow: Permission denied

# sandbox touch /tmp/moo.txt
/bin/touch: cannot touch `/tmp/moo.txt': Permission denied

In fact, you can’t open any files on the global system.

Ambient authority describes the form of authority commonly seen in general purpose operating systems. This form of authority is what allows, for example, a user on a Linux system to open any file for which she has read access, whether she needs to open the file or not. It is seen as problematic in establishing strong security, due to problems such as The Confused Deputy, where authority (i.e. the ability to perform an action) is arbitrarily escalated throughout the system.

(For a particularly clear explanation of these concepts, they are covered in the first ten minutes of this talk by David Wagner).

When an application is launched via sandbox, with no inessential permissions, as much ambient authority as is possible has been removed by SELinux MAC. Instead, authority is explicitly provided to the sandboxed application via a pipe file descriptor handed to it via the launching process (i.e. the standard Unix scheme of constructing pipelines).

Note carefully the difference between these two commands:

# wc -l /etc/shadow
43 /etc/shadow


and


# cat /etc/shadow | wc -l
43


In the first example, the wc application directly opened the file /etc/shadow for reading. It used ambient authority to do this.

In the second example, wc was handed a file descriptor which was already opened by the calling process, and did not require any ambient authority to read the data in the file: the authority was explicitly tied to the file by the caller, and wc was entirely unaware of which file it was reading. wc in this case does not need any permissions except to access the file descriptor passed by the caller. (It still has ambient authority, however, it just didn’t need to use it here).

Running the above with SELinux sandboxing in effect:


# sandbox wc -l /etc/shadow
/usr/bin/wc: /etc/shadow: Permission denied


and


# cat /etc/shadow | sandbox wc -l
43


Note that wc now has no authority now except as invoked by the calling process and passed via the sandbox. In other words, it does not have ambient authority when invoked via the sandbox.

This is a very simple and powerful concept for security purposes, as it is possible to define strict information flows between applications in a dynamic and controlled manner, without the need for additional global security policy. It’s inherently Unix-y, too.

There are many potential applications of this form of sandboxing, particularly where you need to process information between different security realms (e.g. incoming mail which needs to be passed through a chain of scanning and filtering applications), and for dealing with large and complicated applications processing arbitrary untrusted data.

Keep an eye on Dan’s blog for upcoming work on desktop security with SELinux sandboxing.

Several Linux security events are planned in association with LinuxCon this year in Portland, Oregon.

• 2009 SELinux Developer Summit
  The CFP for this event has just been published. The developer summit will be held on the 20th of September as an ancillary event of LinuxCon. This is a one-day event, and developers are encouraged to submit proposals around the primary topics of extensibility and usability. We’re hoping to have a flexible format this year, perhaps with half a day of talks and then half a day of hack sessions. Note that all attendees need to be registered for LinuxCon, and that earlybird registration ends this Monday, June 1st. Also, please subscribe to the event mailing list if you’re planning to attend, so we can estimate numbers. More details are available at the summit web page.
• Security Microconf
  A security microconf will be held at the co-located Plumbers Conference. The Call for Topics ends on June 15th, and anyone doing interesting work in Linux security should consider submitting a proposal. Also see the LWN topic discussion and Paul McKenney’s recent blog entry on the event.
• LinuxCon Talks
  There are several security-related talks at LinuxCon itself:
  • Paul Moore on NetLabel and a tutorial
  • Dave Quigley on Labeled NFS
  • Gary Smith on disk wiping a supercomputer and a new IDS
  • Dan Walsh on sVirt

  I’ll be giving a LinuxCon talk on adding extended attributes support to NFSv3, presenting a prototype implementation (based on the GPL IRIX code) for discussion. xattrs are a very common feature in Unix and Linux filesystems, but there is no standard for them, nor for conveying them over NFS. NFSv4 supports “named attributes”, although this is based on the Solaris extended attribute scheme (subfiles), and somewhat incompatible the simple name/value string-based xattrs supported by Linux, BSD, IRIX etc. It would be nice to have Linux-style xattrs supported in NFSv3, with the current work then potentially forming the basis for a future NFSv4 protocol extension. If you’re interested in this stuff, please consider attending and helping with the discussion.

The date for the 2009 SELinux Developer Summit has been set for Sunday 20th September, and it will be held as an ancillary event of LinuxCon in Portland.

This is a pre-announcement so that people who are thinking of attending LinuxCon and/or Plumbers Conference can take advantage of the first level of early registration for LinuxCon, which ends June 1st (this Monday).

A full announcement for the SELinux developer summit with a CfP will follow shortly.

p.s. I maintain an Identica (an open Twitter-like service) account for more regular and briefer notes: http://identi.ca/jamesm . You can subscribe via RSS or simply get an account like all the cool kids.

I was shocked today to read of the passing of Anthony Rumble, a true pioneer of Linux, the Internet, and electronic commerce in Australia.

I first met him at an APANA BBQ in 1994, where he handed me my first Linux distribution: Slackware 1.1.2, with the trusty 0.99pl15 kernel.

I subsequently worked with Anthony on the NetXpress project, which he designed, and which was one of the first significant deployments of Linux in a mission critical role in Australia. His work went a long way to proving the capability and viability of Linux for larger businesses—something which is taken for granted today, but certainly was not at the time. And without his efforts to provide public access Internet in Australia in the early 1990s, I likely would have not even used the Internet until several years later when commercial ISPs started offering retail access. I suspect there are many today in the Linux and Internet communities who were similarly influenced and assisted by Anthony.

While I had not seen Anthony for some time, we were good friends and this is very sad news.

I’ve had a talk accepted at the upcoming Kernel Conference Australia (KCA), which will be held in Brisbane in July.

The agenda has just been published, and it certainly looks to be an interesting few days, with a keynote from Jeff Bonwick and Bill Moore, as well as talks by Sherry Moore, Henning Brauer, and Stewart Smith.

I’ll be giving an overview of the security features of the Linux kernel, which have evolved somewhat over the years, without much in the way of documentation. KCA requires a paper (or slides with speaker notes), so I hope to be able to use this opportunity to document the current state of Linux kernel security.

Here’s an excerpt from the abstract I submitted:

The Linux kernel has been extended significantly beyond the traditional Unix security model, incorporating new access control models, cryptographic protection, network packet filtering, credentials management, integrity measurement, privileges (“capabilities”) and memory protection.

The diversity and flexibility of these security components has allowed Linux to meet a very wide range of user security requirements, from the simplest embedded devices through to general user desktops, networked servers, scientific research facilities, financial trading systems, and classified military and government systems.

This talk will provide a technical overview of the main security features of the Linux kernel. We’ll discuss how these features have been developed and made available as standard components of general purpose Linux distributions (often enabled by default), aiming for the broadest possible adoption and benefit to users.

We’ll also look at current developments, such as the effort to add MAC security labeling support to NFSv4, utilizing new hardware security features, and security interoperability with other operating systems.

I’ll also be participating in a security discussion panel.

And suffering the harsh Brisbane winter.

The Call for Proposals for the 2009 Linux Plumbers Conference has been posted. This year, there’ll be a Security Microconference with Paul Moore and myself as the runners.

If you’d like to submit a proposal (or simply attend), please see the initial LWN discussion to see what kind of issues might be up for discussion. These are just starter topics, so also feel free to propose anything else which might be of interest to people involved in security and the Linux ecosystem.

There’s a lot going on in security, and LPC (along with the co-hosted linuxcon) seems like a good opportunity for Linux security folk to get together.

People who don’t follow Australian and/or LinuxChix blog aggregators may have missed Pia Waugh’s announcement yesterday of her new job as an advisor to federal senator Kate Lundy.

I’ve always been impressed with Senator Lundy, who held the record for being the youngest woman from the Labor Party to be elected to parliament, and who seemed to be technically clueful in her previous shadow technology roles. Why she was dropped from the front bench in the new government, and how we ended up with the ploddingly inept Stephen Conroy and his farcical Internet blacklist is something of a mystery to me, but then again, I’m just a simple computer programmer.

Pia is an exceptionally capable person, and also one of those rare truly genuine types. I cannot imagine a more appropriate person for the job. ICT policy in Australia has been a disaster for at least a decade now, and the fact that a senator has been able to recognize and hire someone like Pia as an advisor is cause for real optimism.

Pia will also be breaking ground in Australian politics by maintaining a public presence via her blog and twitter accounts.

Congratulations, Pia!

Here’s an update on some of the main changes to the security subsystem in the 2.6.29 kernel.

Most of the changes for this kernel relate to infrastructure work and maintenance:

• Task Credentials API
  This is a rewrite of the kernel mechanism for managing per-task credentials. David Howells has been working on this for quite some time, significantly in support of his FS-Cache work, which will provide a generalized local caching mechanism for networked filesystems (AFS, NFS, CIFS etc.). There’s a very nice write-up of the new credentials code at LWN.
• Pathname hooks for LSM
  Kentaro Takeda of the TOMOYO project submitted this patch via Al Viro, to provide basic support for pathname-based security schemes.
• Smack support for unlabeled network hosts and networks
  The Smack LSM now allows normal, unlabeled network traffic, although somewhat grudgingly. Paul Moore notes that this is currently buggy for TCP, but that a fix is forthcoming.

There were also numerous smaller bugfixes and enhancements: for further details, see the KernelNewbies summary.

The TOMOYO code will be first to utilize the LSM pathname hooks mentioned above: it’s currently queued for Linus in the 2.6.30 merge window. Also queued for merge is the Integrity Measurement Architecture (IMA) code from IBM.

***

Also, a reminder to people submitting security subsystem patches: please generate them relative to the ‘next’ branch of the security testing tree:

git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

and please CC’ the LSM list on any security-related discussions. Thanks.

I just noticed that there’s a new conference for open source kernel developers and researchers, Kernel Conference Australia (KCA). It’ll be held at UQ in Brisbane in July, and the CfP closes on May 1st.

Linux currently looks a little under-represented, so let’s try and fix that :-)