COPR

[Jay Greguske]

On 09/03/2013 11:48 AM, Peter Robinson wrote:
> On Tue, Sep 3, 2013 at 3:10 PM, Jay Greguske <jgregusk at redhat.com
> <mailto:jgregusk at redhat.com>> wrote:
> 
>     On 09/02/2013 04:29 AM, Miroslav Suchý wrote:
>     > On 08/30/2013 10:01 PM, Jay Greguske wrote:
>     >> I'd like to see some elaboration on why VMs instead of chroots
>     would be
>     >> required. I can draw my own conclusions (security) but I'd like
>     to see
>     >> them listed out first before continuing the discussion.
>     >
>     > Koji builder has somewhere stored certificate. This certificate
>     > authorize him to Koji hub.
>     > Whoever has this certificate can act as Koji builder.
>     > Koji builder builds using mock, which means in chroot. There are known
>     > some exploits, which allows you to run out of chroots.
>     >
>     > Now imagine evil package, which will run out chroot, read that
>     > certificate and deliver it to attacker.
>     > He now can build evil builder and start building modified packages.
>     >
>     > While there are known exploits to affect host machine of VM, it is
>     > definitely harder than running out of chroot.
>     >
> 
>     If we had SELinux policy enabled on the builders and used MLS on the
>     chroots that would mitigate chroot-to-chroot attacks. I'm not sure if
>     policy could prevent a chroot'ed process from getting access to the
>     builder's certificate. If it could, I think getting SELinux working on
>     the builders would be an easier path than re-writing koji to use VMs.
> 
>     Maybe someone with more expertise could comment on the latter issue.
> 
> 
> koji already uses VMs for x86.
> 
> Peter
> 

Not for RPM builds.