Back to igraltist's experiences

Start kvmguest with rsbac_jail

Based on the run-jail script and kvm-admin i do this.

kvm-jail-config

;
; RSBAC JAIL definition for kvm
; 20080507
;
; Tested by igraltist
;
 
""
"0.0.0.0"
(allow-dev-read
 allow-dev-write
 allow-ipc-syslog
 allow-ipc-parent
 allow-inet-raw
 allow-all-net-family)
(net-raw
 setgid
 setuid
 dac-override
 net-admin
 dac-read-search
 sys-resource
 sys-module)
()
(rlimit)

start kvm-guest

See on this example kvm-guest-config the content from file. 

kvm-admin start example
uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)
[Errno 2] No such file or directory: '/vmserver/qemu.img'
Using already existing Tap device.
Setting up tun-tap-device, done ....
The follow command would be executing: 
['run-jail', 'kvm', '/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', '-net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime']


Now i start a guest. 

kvm-admin start vserver
uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)
SIOCSIFADDR: Die Operation ist nicht erlaubt
SIOCSIFFLAGS: Die Operation ist nicht erlaubt
SIOCSIFFLAGS: Die Operation ist nicht erlaubt
SIOCSIFFLAGS: Die Operation ist nicht erlaubt
can't add vserver to bridge eth1: Operation not permitted
(if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.)

If we must add the tap-device = vserver manually to the bridge.
In the example is the bridge name dmz_bridge and the tun-tap device name is vserver. 

brctl addif dmz_bridge vserver
ifconfig vserver up

This I see in the rsbac-log, but the guest is running. 

<6>0000001281|rsbac_adf_request(): request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
<6>0000001282|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
<6>0000001283|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
<6>0000001284|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
<6>0000001285|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3707, ppid 3705, prog_name brctl, prog_file /sbin/brctl, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL

show-jail-info

Do this: 

cat /proc/rsbac-info/jail

or you can use this:
http://svn.kasten-edv.de/svn/rsbac/trunk/bin/ps-jail.py
I get this output. Its very similar to the above. 

./ps-jail.py 
Loading Jail info for Processes, done.
--------------------------------------------------------------------------------
Processname          Pid  Jail-ID Flags Max-caps  SCD-get  SCD-mod Jail-IP
ntpd                 7337      7   1539 50349250        0  6291491 0.0.0.0
dmeventd             7281      6   1537       -1        0  2113536 0.0.0.0
cupsd                7103      3   1546       -1        0       32 0.0.0.0
dhcpd                7224      5  67083   271555        0        0 0.0.0.0
pickup               3286      8  67073       -1        0       32 0.0.0.0
qemu-system-x86      3704     28  71178 16855238        0       32 0.0.0.0
master               7441      8  67073       -1        0       32 0.0.0.0
smbd                 7560     10   1538 17302752        0       32 0.0.0.0
qemu-system-x86     29614     26  71178 16855238        0       32 0.0.0.0
qmgr                 7448      8  67073       -1        0       32 0.0.0.0
nmbd                 7561     11   1538 17302752        0       32 0.0.0.0
syslog-ng           11370     13  40448       -1        0        0 0.0.0.0
cron                11428     14  71168       -1        0       32 0.0.0.0
pdnsd               12945     16  71176 17310912   262144    16416 0.0.0.0
qemu-system-x86     25748     23  71178 16855238        0       32 0.0.0.0
qemu-system-x86     26053     24  71178 16855238        0       32 0.0.0.0
portmap              6242      2   1537       -1        0        0 0.0.0.0
smbd                 7556     10   1538 17302752        0       32 0.0.0.0
--------------------------------------------------------------------------------
It took 0.94s seconds.

Fixme: convert numbers in readable names.

Top