Secure Linux container implementation guide lightweight containers also called VirtualPrivateServers (VPS) or Jails, they are often used to restrict the untrusted application or user of the tool.
But recently constructed of lightweight containers did not provide sufficient security guarantees. Use SELinux or Smack strategy reinforced these containers, you can implement in Linux?, more secure container. This article describes how to create a Linux security module to protect of the more secure container. SELinux and Smack policy development is in progress, and in their communities to help continually improve. People hear when the container is first reaction is "how to create secure containers?". This article by using the Linux security modules (LSM LinuxSecurityModules,) enhanced container security to solve the problem. This article specifically shows how to set security goals and Smack and SELinux security module. To learn more about Linux container's background knowledge, please read the "LXC: Linux container tools" (developerWorks, February 2009). Linux container is based on several Linux technology to build the conceptual piece: resource name space allows you to find the process, the container's internal documents, SYSVIPC resources, network interface, and so on. Control group (Controlgroups) allows restrictions placed on the container's resources. Function bindings (Capabilitybounding) sets limits container access privileges. You must coordinate the use of these technologies to achieve consistent with the vision of the container. There are two projects provide this functionality: Libvirt is able to use the Xen hypervisor, qemu emulator, kvmis even lightweight containers to create a virtual machine for large projects. Liblxc is a small library and a collection of user space command, their purpose is to help the kernel developers to quickly and easily test container functionality. Because the "LXC: Linux container tool" is prepared based on liblxc, so I am here to continue to use liblxc; but here do have the ability to use a container supports easy libvirt. Main element 1: LSM before you begin, if you do not know much about LSM, now you can quickly browse through. According to the Wikipedia definition: LinuxSecurityModules (LSM) is a Linux kernel supports a variety of computer security model framework, while not dependent on specific security implementation. This framework consists of the terms authorized use, GNUGeneralPublicLicense and Linux2.6 after a standard part of Linux kernel. Design LSM aims to achieve mandatory access control module provides all the necessary elements, while minimizing the changes to the Linux kernel. LSM avoids Systrace system call insert in, because it does not support multiple processor cores, and vulnerable to attacks TOCTTOU (race). On the contrary, when a user-level system will access to important internal kernel object (such as the inode and mission control block), LSM will insert "in the kernel hooks (hook)" (upcalls module). This project is dedicated to solving the problem of access control to avoid mainstream kernel for a large number of complex modifications. The project is not intended to be a common "hook" or "up call" mechanism, nor does it support virtualization. LSM access control goals and resolve system audit issues are closely related, but distinct. The audit requirement records each access attempt. LSM does not resolve this problem, because it requires a lot of hooks, to detect the kernel "short circuit" fault system where calling, and close to important object returns the error code. System security including two some conflict of objectives. The first goal is to achieve complete fine-grained access control. Must have may leak or damaged information location control. Too coarse-grained control and does not control. For example, if all the files must be classified as a type, and there is no file is open, all files are open. On the other hand, the configuration must be simple, administrators need to manage many access (but again, this does not control and is the same). For example, if you make the program work correctly requires large amounts of access rules, the administrator will add to the program, many access instead of testing these access rules are necessary. Linux in two basic security module uses different methods to balance this contradiction. SELinux implementation first on all things while using powerful control policy language simplified policy management. Smack mainly provides simple access control. Main element 2: SELinux far, SELinux is most famous for Linux, Mac systems (mandatory access control). Although still people against it, but popular Fedora? release from a few years ago, and deployed with SELinux, which is its powerful proof of success. SELinux using modular policy language configuration, users can easily update the installed policies. This language also provides interfaces that allow the use of more advanced statement expression for a set of low-level statement. In this article, we will use a new interface to define the container. Although the container to add many access make the interface itself become very large, but use the interface to create a new container is very simple. This interface is very promising to become a core part of the publishing strategy. Main element 3: SmackSmack is the simplified mandatory access control kernel (SimplifiedMandatoryAccessControlKernel) abbreviation. It is the first to use simple text label mark all processes, files and network traffic. Use the label creation processCreate a new file. Usually there are some with a clear definition of the default type of access rule. Process often can have the same label object for read and write. Bypass the Smack of access rules to control the privileges by POSIX function, so the tasks with CAP_MAC_OVERRIDE can overwrite rules; the tasks with CAP_MAC_ADMIN can change rules and labels. "POSIXfilecapabilities: Parcelingthepowerofroot" (reference) demonstrates these privileges.
No comments:
Post a Comment