wiki:experiences:igraltist:kvm_guest_jail
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Back to igraltist's experiences/KVM on RSBAC

Start kvmguest with rsbac_jail

Based on the run-jail script and kvm-admin i do this.

kvm-jail-config

;	 
; RSBAC JAIL definition for kvm	 
; 20080507	 
;	 
; Tested by igraltist	 
;	 
 
""	 
"0.0.0.0"	 
(allow-dev-read	 
allow-dev-write	 
allow-ipc-syslog	 
allow-ipc-parent	 
allow-inet-raw	 
allow-all-net-family)	 
(net-raw	 
setgid	 
setuid	 
dac-override	 
net-admin	 
dac-read-search	 
sys-resource	 
sys-module)	 
()	 
(rlimit)	 

start kvm-guest

See on this example kvm-guest-config the content from file.

kvm-admin start example	 
uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)	 
[Errno 2] No such file or directory: '/vmserver/qemu.img'	 
Using already existing Tap device.	 
Setting up tun-tap-device, done ....	 
The follow command would be executing: 	 
['run-jail', 'kvm', '/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', -net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime']	 


Now I start a guest.

kvm-admin start vserver	 
uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)	 
SIOCSIFADDR: Die Operation ist nicht erlaubt	 
SIOCSIFFLAGS: Die Operation ist nicht erlaubt	 
SIOCSIFFLAGS: Die Operation ist nicht erlaubt	 
SIOCSIFFLAGS: Die Operation ist nicht erlaubt	 
can't add vserver to bridge eth1: Operation not permitted	 
(if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.)	 

If we must add the tap-device = vserver manually to the bridge.
In the example is the bridge name dmz_bridge and the tun-tap device name is vserver.

brctl addif dmz_bridge vserver	 
ifconfig vserver up	 

This I see in the rsbac-log, but the guest is running.

<6>0000001281|rsbac_adf_request(): request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
<6>0000001282|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
<6>0000001283|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
<6>0000001284|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL	 
<6>0000001285|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3707, ppid 3705, prog_name brctl, prog_file /sbin/brctl, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL	 

show-jail-info

Do this:

cat /proc/rsbac-info/jail

or you can use this:
http://svn.kasten-edv.de/svn/rsbac/trunk/bin/ps-jail.py
I get this output. Its very similar to the above.

./ps-jail.py 	 
Loading Jail info for Processes, done.	 
--------------------------------------------------------------------------------	 
	Processname          Pid  Jail-ID Flags Max-caps  SCD-get  SCD-mod Jail-IP	 
	ntpd                7337      7  1539 50349250        0  6291491 0.0.0.0	 
	dmeventd            7281      6  1537      -1        0  2113536 0.0.0.0	 
	cupsd                7103      3  1546      -1        0      32 0.0.0.0	 
	dhcpd                7224      5  67083  271555        0        0 0.0.0.0	 
	pickup              3286      8  67073      -1        0      32 0.0.0.0	 
	qemu-system-x86      3704    28  71178 16855238        0      32 0.0.0.0	 
	master              7441      8  67073      -1        0      32 0.0.0.0	 
	smbd                7560    10  1538 17302752        0      32 0.0.0.0	 
	qemu-system-x86    29614    26  71178 16855238        0      32 0.0.0.0	 
	qmgr                7448      8  67073      -1        0      32 0.0.0.0	 
	nmbd                7561    11  1538 17302752        0      32 0.0.0.0	 
	syslog-ng          11370    13  40448      -1        0        0 0.0.0.0	 
	cron                11428    14  71168      -1        0      32 0.0.0.0	 
	pdnsd              12945    16  71176 17310912  262144    16416 0.0.0.0	 
	qemu-system-x86    25748    23  71178 16855238        0      32 0.0.0.0	 
	qemu-system-x86    26053    24  71178 16855238        0      32 0.0.0.0	 
	portmap              6242      2  1537      -1        0        0 0.0.0.0	 
	smbd                7556    10  1538 17302752        0      32 0.0.0.0	 
	--------------------------------------------------------------------------------	 
It took 0.94s seconds.	 

Fixme: convert numbers in readable names.

Top

//
wiki/experiences/igraltist/kvm_guest_jail.txt · Last modified: 2011/01/07 14:39 by 127.0.0.1

wiki/experiences/igraltist/kvm_guest_jail.txt · Last modified: 2011/01/07 14:39 by 127.0.0.1
This website is kindly hosted by m-privacy