[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: [patch 5/5] xen: net features

Jody Belka wrote:
> On Tue, Feb 01, 2005 at 12:00:17AM -0000, Ian Pratt wrote:
>>>> I can't see why making the frontend MAC readonly can really be
>>>> done securely within the domain.
>>> Well, if you have module support enabled in the kernel, or some
>>> way that lets root write to random (domain) memory, then it's not
>>> really secure, although i think it's still a nice to
>>> have. Otherwise i would think it should be reasonably secure?
>> You need root access to change the mac normally, and its trivial
>> for root to change it under your scheme -- running sed on /dev/mem
>> would do it...
> I was thinking of something along the lines of adding a tiny bit of
> code to remove the CAP_SYS_MODULE and CAP_SYS_RAWIO capabilities
> from the global set of allowed cap's when using the readonly
> option. With that in place you're down to requiring a kernel-hole to
> get around it.

You would also need to disallow raw packet sockets on the ethernet
layer. Oh and ebtables / bridging, possibly some modules for iptables,
too. And probably a bunch of other things that allow generation of
packets with differing MAC addresses.

If something like this were to be implemented, I think it should be
implemented kernel wide for all network drivers - and it will require
always some additional in-kernel security model, which makes sure that
not even the root user is allowed to do certain things.

Otherwise it is indeed just a false sense of security.

With Xen, the vastly superior alternative is to enforce the MAC
address at the netback side, or in domain0 - because then the policy
is enforced even if the domain in question is totally compromised.

-- Naked

This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.