Nano HOWTO: Getting started with libvirt hacking

How to build libvirt from git on Fedora:

mkdir ~/rpmbuild

(cd ~/rpmbuild && mkdir BUILD BUILDROOT RPMS SOURCES SPECS SRPMS)

git clone git://git.et.redhat.com/libvirt.git

cd libvirt

git checkout -b mystuff

export AUTOBUILD_INSTALL_ROOT=$HOME/builder

./autobuild.sh

The above will clone the tree, checkout a branch to hack on, build and test the code, then generate source and binary RPMS. You’ll also be set then to do local manual builds.

Thanks to danpb for clues.

OLS Slides + Macbook fail

Here are the slides from my OLS talk, although the paper is way more useful.

For those who attended Dan Walsh’s talk on confining the user, you can find the slides here. Quite a few people expressed interest in them during the talk, and Dan sent them to me for some reason, so there you go.

***

Btw, my MacBook seems to never work with projectors (thanks to Paul Moore for lending me his laptop for the talk). It’s relatively recent and has the following graphics stuff:

00:02.0 VGA compatible controller: Intel Corporation Mobile 945GM/GMS, 943/940GML Express Integrated Graphics Controller (rev 03)
00:02.1 Display controller: Intel Corporation Mobile 945GM/GMS/GME, 943/940GML Express Integrated Graphics Controller (rev 03)

Nothing seems to work: rebooting with the cable attached (VGA text mode works, but not X), exhaustive messing about with xrandr, hitting the laptop with a hammer etc. Does anyone know something else I can try?

Notes from the SELinux Developer Summit 2008

The SELinux Developer Summit went pretty well yesterday. It was a long day: 10 hours of talks and discussions with about forty developers attending.

I’ve just uploaded slides from the talks, which may be found next to their respective entries in the schedule.

Some of the talks I found particularly useful/interesting:

  • Josh Brindle on SELinux in Ubuntu. They’re making good progress, although the idea of SELinux is to introduce ubiquitous, generalized MAC security, so he is advocating they enable SELinux by default as is done in Fedora, and as you typically do with other OS security layers.
  • John Weeks from Sun talking about OpenSolaris FMAC (introducing Flask/TE to their OS). It was interesting to see a dtrace graph of the AVC operating—a kernel mechanism for which I’ve developed an abstract mental model but never “seen”.
  • Dan Walsh Talking about his ongoing work in utilizing SELinux to create practical security features for everyday users.

    xspy

    The above is from a demonstration where nsplugin (the framework for Firefox plugins, i.e. where flash etc. is run) is being sandboxed by SELinux, so that a flawed or malicious plugin cannot be used to snoop your keystrokes. In this case, a simulated (and trivial) exploit was blocked from capturing internet banking passwords by SELinux.

    Btw, Dan will be demonstrating this today during his OLS talk on Confining the User. There’s a lot of really cool stuff coming in this area & the talk should be well worth attending.

  • Karl MacMillan on alternatives to comprehensive least-privilege, where he described some ideas and plans for simplifying the way SELinux policy is deployed for general purpose use. He has some really promising ideas on reducing the granularity of the policy while still maintaining strong security. This can lead to simpler and smaller policy, which is important for all kinds of users.
  • Peter White talked about two higher-level languages being developed to express SELinux policy, Lobster and Shrimp, which will introduce features such as type checking and object orientation to the policy language area. Peter is a Haskell guy, and it all looks very promising.

***

Yuichi Nakamura

Yuichi Nakamura talking about embedded systems and SELinux.


The format worked reasonably well—a series of short talks and discussions—although it would have been nicer to have a more relaxed schedule and more time for deep discussions on specific issues. There’s already been discussion of what to do next year, and we may move it to a two-day event. Certainly, I think we’ll want to have it again in conjunction with a major developer conference, which makes it a good environment for collaboration with the wider FOSS community.

For those that couldn’t make it this year, I believe notes were taken and will be sent out to the mailing list. There are more photos here.

Have You Driven an SELinux Lately?

My OLS paper,

Have You Driven an SELinux Lately?

may now be downloaded as a single document, or as part of the conference proceedings.

The paper is a detailed update on the SELinux project, covering important changes to SELinux in the past few years. After the initial upstream kernel merge—which took three years and required LSM to be developed—the project proceeded rapidly in terms of integration into mainstream Linux distributions, as well as having its internal infrastructure overhauled to allow major improvements to both function and usability. A great deal has changed since many people first saw SELinux.

I’d recommend reading the paper if you want to come up to speed on where things are at in the project, and where things are headed.

I’ll be giving a talk on the paper at OLS this Thursday. It’s certainly a challenge trying to keep the talk length below 45 minutes without leaving something significant out. For some reason, my talks tend to self-adjust to about 90 minutes, and I always need to work to shorten them.

As a reminder, the SELinux Developer Summit is on Tuesday, and it will be held at the Ottawa Novotel from 8:30am.

Btw, I noticed Linux being used at Sydney Airport on the way over:

Linux @ Sydney Airport

Ubuntu 6.02, I believe 6.06.2.

FOSS Conference Observations

Andrew Morton’s slides from the LF Japan Symposium are now here (PDF), along with the rest of the presentations (scroll down). No video as yet, it seems.

I microblogged this at the time, but it’s worth mentioning here that 15% of kernel contributions are now coming from Japan, as also noted at the LF blog. (I’m not sure if the media has picked up on this yet, but it was also announced at the Symposium that the 2009 Kernel Summit will be held in Tokyo).

Recently, Michael Chen from Red Hat was quoted in an interview that India is the third largest contributor to Fedora. That’s “following North America and Europe”, so I don’t know what the per-country rankings are, but India may be doing even better in that respect.

It’s probably impossible to say precisely what’s driving these increasing global levels of FOSS contributions, but my impressions are that in these cases, at least, that conferences such as FOSS.IN and the LF symposia are having very significant effects.

It was also most likely similarly the case in Australia in 1999 with the introduction of CALU (which evolved into LCA), that local FOSS efforts were greatly stimulated by holding a technical conference which attracted a combination of leading international and local contributors. It was certainly a major factor in my own subsequent involvement in kernel hacking (which was at the time very sporadic, but became vastly more focused after meeting & seeing the likes of Dave Miller, Rusty and Tridge).

It’s interesting to compare how this works differently in different regions. India and Australia developed their own grassroots conferences, while Japan (and recently China) have developed conferences based around industry consortia. Whether this is cultural or a sign of the times is unclear, but it seems the ultimate effect is basically the same. More people contributing—not just code—to the community process.

A comment made by Toshiharu Harada during his genuinely entertaining TOMOYO talk was particularly interesting:

Merging TOMOYO Linux started as our mission, but now they are our personal goals.

While FOSS has become increasingly mainstream, it seems that the underlying dynamics of the community also remain the same, in terms of people fulfilling personal goals (technical, social, economic), as well as those of their employers.

SELinux and Security in the 2.6.26 Kernel

What’s new and exciting with SELinux and security in the new 2.6.26 kernel? Expanding some of the items from the excellent Kernel Newbies 2.6.26 page:

  • security= boot parameter
    This patch by Ahmed Darwish allows a particular security module to be selected at kernel boot time, so that distributions can ship multiple security modules and allow the user to decide which one (if any) to enable. For example: security=selinux selects SELinux, while security=smack selects SMACK. (In Fedora, you don’t need to do anything: SELinux is the default).
  • New SELinux open permission
    Until now, opening a file under SELinux invoked the same permission checks as the intended operation on the file, such as read, write, execute and append. There was no separate “open” check: opening a file for write, for example, was considered by SELinux policy as equivalent to actually writing to the file. Experience has shown that this approach is not ideal for handling cases such as IO redirection via the shell, because policy writers cannot usefully guess where users will send redirected output. This is a very common use-case for Linux, so a solution is most definitely necessary, while also preserving strong security. Can it be done? Yes!

    Implemented by Eric Paris, the new open permission provides a way to address the issue by providing applications with liberal access to read/write/execute/append permissions but tightly locking down the ability to open a file. In the case of redirecting output via the shell:

    bash# /sbin/do-stuff > /tmp/output

    the shell forks and creates /tmp/output, calls dup2(2) to replace stdin with the newly created file descriptor, then execs do-stuff. With the old permissions, do-stuff would have required an SELinux write permission on the new file, which it very likely would not have had. By providing do-stuff with liberal file access permissions, but not the new open permission, its output may now be redirected to the file without needing to give it the ability to directly open the file. The invoking shell of course needs the open permission, which it effectively delegates to do-stuff via the open file descriptor.

    Updated security policy which utilizes this technique should be available soon in rawhide, and integrated into Fedora 10, providing significant usability improvements for sysadmins and power users.

  • Permissive Types
    Also implemented by Eric, permissive types (aka permissive domains) allows permissive mode to be selected on the fly on a per-domain basis. Permissive mode is where security policy is being checked and logged, but not actually enforced, and was previously only possible on a system-wide basis. By making this per-domain, applications which are experiencing SELinux policy issues may be flipped into permissive mode, allowing them to do what they need until a proper fix is available, without disabling policy enforcement for the rest of the system.

  • Network Port SID Cache
    Paul Moore implemented a cache to improve the performance of the SELinux networking code, so that network port labels are no longer looked up in the (typically large) kernel policy database on a per-packet basis, and is instead retrieved from an RCU-based cache. This addresses a long standing network performance issue which has been observed with very high loads on network servers.

There’s quite a lot happening in security for 2.6.27, some of which has already been merged into Linus’ tree. Due to the pervasive nature of some of the patches (including David Howells’ credentials rework), I’m feeding all of the SELinux stuff via my security-testing tree. The “devel” branch is where bleeding edge changes are initially stabilized before being applied to the “next” branch, which is in turn fed into to linux-next.

Linux Foundation Japan Symposium Notes

I presented on the SELinux project today at the Linux Foundation Japan Symposium in Tokyo. The slides from my talk may be downloaded here.

It’s been an interesting conference, with some smaller BoF sessions planned for tomorrow. I live micro-blogged the conference via my identi.ca account, which I guess turned out as a kind of public note-taking.

img_5474

Andrew Morton covered quite a lot of interesting kernel process material, highlighting some areas which we need to address (such as whether we’re ready at all to support solid state disks), and explaining his view of the linux-next tree, one unpublished purpose of which was to get kernel hackers to test each others code before upstream merge. He also said that around 15% of kernel contributions are now coming from Japan.


Fedora 9 DVDs and Live CDs

Greg DeKoenigsberg kindly shipped a pile of Fedora DVDs and Live CDs across to give to the attendees. The CDs & DVDs proved very popular and were all distributed.

More photos here.

Security is hard, let’s go shopping

I’ll be giving a talk on the SELinux project at the next Linux Foundation Symposium in Japan, to be held 9th and 10th of July. Details of the symposium are here in Japanese, while a PDF schedule in English lives here.

From the abstract for my talk:

This talk will provide an overview of the project, covering its rationale, design goals, and milestones. Recent significant developments and ongoing work will be discussed. The aim of the talk is to help the audience better understand SELinux and how it might be utilized to implement a diverse range of security goals.

A specific topic I’d like to cover at some level is expectations. There’s no silver bullet for security, and likely never will be, unless perhaps the OS is redesigned from scratch with all applications coded in a security-aware language, and people totally change the way they use computers.

The concept—endlessly proposed by snake-oil merchants—that security can be dramatically improved without any disruption to the user experience, is unrealistic. A practical approach will involve attempting to avoid disruption as much as possible, and to find optimal ways of handling difficult cases. It will not pretend there is no complexity.

As an analogy, consider network firewalling, where you are able to obtain an increased level of protection against several common threats by configuring a packet filter to only allow expected traffic. This may break some previously common use-cases, such as ad-hoc deployment of new network services, unless the user learns how to reconfigure the packet filter. Even with a high-level GUI tool, some fundamental understanding of networking and security is still required for the user to be able to make informed use of the tool.

There is very little history of significant adoption of improved security without a change to the user experience. Even in what may be the most successful case—the migration from telnet and R commands to SSH—people had to gain new knowledge, master new skills, and change their behaviour. Even with the relative simplicity of SSH and ubiquitous availability of implementations, there are still mission critical systems using telnet over unprotected networks, which should surprise nobody working in the real world. Before sighing wearily, consider how so many smart people can still get it so wrong.

Security is hard. Real improvements only come with continuous effort and innovation, where innovation is not just “inventing” but also transforming the practice of a community. It does not happen overnight, nor even overyear. Recall the various iterations of packet filtering in Linux prior to the integration of Netfilter in the 2.4 kernel, along with the R&D effort around firewalls before Linux even existed. It seems to me that it takes around a decade for substantial change to occur, including the changes to both the technology and the culture.

There may not be the time to dive too deeply into this topic during the talk itself, although I’m sure there’ll be plenty of opportunities for conversations during the always important hallway and after-hours sake tracks.

Also speaking:

  • Thomas Gleixner on the Completely Fair Scheduler
  • Paul Moore on Labeled Networking
  • Toshiharu Harada on the experience of trying to get TOMOYO upstreamed
  • Andrew Morton (tentatively) on kernel stuff

There are BoF sessions on the second day covering security, the kernel scheduler and general kernel discussion.

After that, I’ll be back in Sydney for a few days before flying to Ottawa for OLS and the SELinux developer summit.

Tumbleblog

I’ve set up a tumbleblog here:

http://jamesmorris.tumblr.com/

essentially as a kind of public bookmarking of things which I find interesting, without much in the way of commentary (if any).

If you want to follow it, grab the rss feed. The topics will likely vary beyond the typically work-related stuff I post here, although still somewhat geeky & security-ish. I’d suggest not adding the feed to public blog aggregation sites.