Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 6 Aug 2012 01:07:47 +0400
From: Vasily Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: HARDEN_VM86

Solar, all -

I was thinking about how vm86 limitation can be configured.
The requirement is that it should be possible to disable vm86
in a particular container that CT root may not enable it.
But CT0 root still may enable CT0's vm86 ability.

My vision is as following:

    kernel.vm86 = 0 / 1 / 2

0 means everybody may use vm86(2), vm86_old(2) and modify_ldt(2).
1 means only processes with CAP_SYS_IO may use them.
2 means only processes with CAP_SYS_ADMIN may use them.

If the sysctl equals to 2 only processes with CAP_SYS_ADMIN may
reset it to 0 or 1.

That means that CT's root may fully disable vm86 for the container
and may not restore it.  Only CT0's root may restore the defaults.
But CT0's root may freely disable and enable its own vm86 behaviour.

So, for a simple Owl system without containers it is a yet another
sysctl to enable/disable 3 syscalls.

What do you think about it?

Thanks,

-- 
Vasily

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ