jgregusk at redhat.com
Tue Sep 3 19:33:10 UTC 2013
On 09/03/2013 11:48 AM, Peter Robinson wrote:
> On Tue, Sep 3, 2013 at 3:10 PM, Jay Greguske <jgregusk at redhat.com
> <mailto:jgregusk at redhat.com>> wrote:
> On 09/02/2013 04:29 AM, Miroslav Suchý wrote:
> > On 08/30/2013 10:01 PM, Jay Greguske wrote:
> >> I'd like to see some elaboration on why VMs instead of chroots
> would be
> >> required. I can draw my own conclusions (security) but I'd like
> to see
> >> them listed out first before continuing the discussion.
> > Koji builder has somewhere stored certificate. This certificate
> > authorize him to Koji hub.
> > Whoever has this certificate can act as Koji builder.
> > Koji builder builds using mock, which means in chroot. There are known
> > some exploits, which allows you to run out of chroots.
> > Now imagine evil package, which will run out chroot, read that
> > certificate and deliver it to attacker.
> > He now can build evil builder and start building modified packages.
> > While there are known exploits to affect host machine of VM, it is
> > definitely harder than running out of chroot.
> If we had SELinux policy enabled on the builders and used MLS on the
> chroots that would mitigate chroot-to-chroot attacks. I'm not sure if
> policy could prevent a chroot'ed process from getting access to the
> builder's certificate. If it could, I think getting SELinux working on
> the builders would be an easier path than re-writing koji to use VMs.
> Maybe someone with more expertise could comment on the latter issue.
> koji already uses VMs for x86.
Not for RPM builds.
More information about the devel