Jay Greguske jgregusk at
Tue Sep 3 14:10:32 UTC 2013

On 09/02/2013 04:29 AM, Miroslav Suchý wrote:
> On 08/30/2013 10:01 PM, Jay Greguske wrote:
>> I'd like to see some elaboration on why VMs instead of chroots would be
>> required. I can draw my own conclusions (security) but I'd like to see
>> them listed out first before continuing the discussion.
> Koji builder has somewhere stored certificate. This certificate
> authorize him to Koji hub.
> Whoever has this certificate can act as Koji builder.
> Koji builder builds using mock, which means in chroot. There are known
> some exploits, which allows you to run out of chroots.
> Now imagine evil package, which will run out chroot, read that
> certificate and deliver it to attacker.
> He now can build evil builder and start building modified packages.
> While there are known exploits to affect host machine of VM, it is
> definitely harder than running out of chroot.

If we had SELinux policy enabled on the builders and used MLS on the
chroots that would mitigate chroot-to-chroot attacks. I'm not sure if
policy could prevent a chroot'ed process from getting access to the
builder's certificate. If it could, I think getting SELinux working on
the builders would be an easier path than re-writing koji to use VMs.

Maybe someone with more expertise could comment on the latter issue.

- Jay

More information about the devel mailing list