Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
wiki:experiences:igraltist:kvm_guest_jail [2009/05/31 15:37] 127.0.0.1 (old revision restored) |
wiki:experiences:igraltist:kvm_guest_jail [2011/01/07 14:39] 127.0.0.1 (old revision restored) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | - [[wiki:experiences/igraltist|Back to igraltist's experiences]] | + | [[wiki:experiences/igraltist#kvm_on_rsbac|Back to igraltist's experiences/KVM on RSBAC]] |
- | - | + | |
- | - | + | |
- | - | + | |
- | - ====== Start kvmguest with rsbac_jail ====== | + | ====== Start kvmguest with rsbac_jail ====== |
- | - Based on the [[wiki:experiences/igraltist/run-jail#run-jail|run-jail]] script and [[wiki:experiences/igraltist/kvm#kvm-admin|kvm-admin]] i do this. | + | Based on the [[wiki:experiences/igraltist/run-jail#run-jail|run-jail]] script and [[wiki:experiences/igraltist/kvm#kvm-admin|kvm-admin]] i do this. |
- | - | + | |
- | - ===== kvm-jail-config ===== | + | ===== kvm-jail-config ===== |
- | - <code bash> | + | <code bash> |
- | - ; | + | ; |
- | - ; RSBAC JAIL definition for kvm | + | ; RSBAC JAIL definition for kvm |
- | - ; 20080507 | + | ; 20080507 |
- | - ; | + | ; |
- | - ; Tested by igraltist | + | ; Tested by igraltist |
- | - ; | + | ; |
- | - | + | |
- | - "" | + | "" |
- | - "0.0.0.0" | + | "0.0.0.0" |
- | - (allow-dev-read | + | (allow-dev-read |
- | - allow-dev-write | + | allow-dev-write |
- | - allow-ipc-syslog | + | allow-ipc-syslog |
- | - allow-ipc-parent | + | allow-ipc-parent |
- | - allow-inet-raw | + | allow-inet-raw |
- | - allow-all-net-family) | + | allow-all-net-family) |
- | - (net-raw | + | (net-raw |
- | - setgid | + | setgid |
- | - setuid | + | setuid |
- | - dac-override | + | dac-override |
- | - net-admin | + | net-admin |
- | - dac-read-search | + | dac-read-search |
- | - sys-resource | + | sys-resource |
- | - sys-module) | + | sys-module) |
- | - () | + | () |
- | - (rlimit) | + | (rlimit) |
- | - </code> | + | </code> |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - ===== start kvm-guest ===== | + | |
- | - See on this [[wiki:experiences/igraltist/kvm#example kvm-guest-config|example kvm-guest-config]] the content from file. | + | ===== start kvm-guest ===== |
- | - | + | See on this [[wiki:experiences/igraltist/kvm#example kvm-guest-config|example kvm-guest-config]] the content from file. |
- | - <code bash> | + | |
- | - kvm-admin start example | + | <code bash> |
- | - uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb) | + | kvm-admin start example |
- | - [Errno 2] No such file or directory: '/vmserver/qemu.img' | + | uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb) |
- | - Using already existing Tap device. | + | [Errno 2] No such file or directory: '/vmserver/qemu.img' |
- | - Setting up tun-tap-device, done .... | + | Using already existing Tap device. |
- | - The follow command would be executing: | + | Setting up tun-tap-device, done .... |
- | - ['run-jail', 'kvm', '/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', '-net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime'] | + | The follow command would be executing: |
- | - </code> | + | ['run-jail', 'kvm', '/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', -net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime'] |
- | - \\ | + | </code> |
- | - Now i start a guest. | + | \\ |
- | - <code bash> | + | Now I start a guest. |
- | - kvm-admin start vserver | + | <code bash> |
- | - uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb) | + | kvm-admin start vserver |
- | - SIOCSIFADDR: Die Operation ist nicht erlaubt | + | uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb) |
- | - SIOCSIFFLAGS: Die Operation ist nicht erlaubt | + | SIOCSIFADDR: Die Operation ist nicht erlaubt |
- | - SIOCSIFFLAGS: Die Operation ist nicht erlaubt | + | SIOCSIFFLAGS: Die Operation ist nicht erlaubt |
- | - SIOCSIFFLAGS: Die Operation ist nicht erlaubt | + | SIOCSIFFLAGS: Die Operation ist nicht erlaubt |
- | - can't add vserver to bridge eth1: Operation not permitted | + | SIOCSIFFLAGS: Die Operation ist nicht erlaubt |
- | - (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.) | + | can't add vserver to bridge eth1: Operation not permitted |
- | - </code> | + | (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.) |
- | - | + | </code> |
- | - If we must add the tap-device = vserver manually to the bridge.\\ | + | |
- | - In the example is the bridge name dmz_bridge and the tun-tap device name is vserver. | + | If we must add the tap-device = vserver manually to the bridge.\\ |
- | - <code bash> | + | In the example is the bridge name dmz_bridge and the tun-tap device name is vserver. |
- | - brctl addif dmz_bridge vserver | + | <code bash> |
- | - ifconfig vserver up | + | brctl addif dmz_bridge vserver |
- | - </code> | + | ifconfig vserver up |
- | - | + | </code> |
- | - This I see in the rsbac-log, but the guest is running. | + | |
- | - <code bash> | + | This I see in the rsbac-log, but the guest is running. |
- | - <6>0000001281|rsbac_adf_request(): request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL | + | <code bash> |
- | - <6>0000001282|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL | + | <6>0000001281|rsbac_adf_request(): request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL |
- | - <6>0000001283|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL | + | <6>0000001282|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL |
- | - <6>0000001284|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL | + | <6>0000001283|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL |
- | - <6>0000001285|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3707, ppid 3705, prog_name brctl, prog_file /sbin/brctl, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL | + | <6>0000001284|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL |
- | - </code> | + | <6>0000001285|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3707, ppid 3705, prog_name brctl, prog_file /sbin/brctl, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL |
- | - | + | </code> |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - ===== show-jail-info ===== | + | |
- | - Do this: | + | ===== show-jail-info ===== |
- | - <code bash>cat /proc/rsbac-info/jail</code> | + | Do this: |
- | - | + | <code bash>cat /proc/rsbac-info/jail</code> |
- | - or you can use this:\\ | + | |
- | - [[http://svn.kasten-edv.de/svn/rsbac/trunk/bin/ps-jail.py]] | + | or you can use this:\\ |
- | - \\ | + | [[http://svn.kasten-edv.de/svn/rsbac/trunk/bin/ps-jail.py]] |
- | - I get this output. Its very similar to the above. | + | \\ |
- | - \\ | + | I get this output. Its very similar to the above. |
- | - <code bash> | + | \\ |
- | - ./ps-jail.py | + | <code bash> |
- | - Loading Jail info for Processes, done. | + | ./ps-jail.py |
- | - -------------------------------------------------------------------------------- | + | Loading Jail info for Processes, done. |
- | - Processname Pid Jail-ID Flags Max-caps SCD-get SCD-mod Jail-IP | + | -------------------------------------------------------------------------------- |
- | - ntpd 7337 7 1539 50349250 0 6291491 0.0.0.0 | + | Processname Pid Jail-ID Flags Max-caps SCD-get SCD-mod Jail-IP |
- | - dmeventd 7281 6 1537 -1 0 2113536 0.0.0.0 | + | ntpd 7337 7 1539 50349250 0 6291491 0.0.0.0 |
- | - cupsd 7103 3 1546 -1 0 32 0.0.0.0 | + | dmeventd 7281 6 1537 -1 0 2113536 0.0.0.0 |
- | - dhcpd 7224 5 67083 271555 0 0 0.0.0.0 | + | cupsd 7103 3 1546 -1 0 32 0.0.0.0 |
- | - pickup 3286 8 67073 -1 0 32 0.0.0.0 | + | dhcpd 7224 5 67083 271555 0 0 0.0.0.0 |
- | - qemu-system-x86 3704 28 71178 16855238 0 32 0.0.0.0 | + | pickup 3286 8 67073 -1 0 32 0.0.0.0 |
- | - master 7441 8 67073 -1 0 32 0.0.0.0 | + | qemu-system-x86 3704 28 71178 16855238 0 32 0.0.0.0 |
- | - smbd 7560 10 1538 17302752 0 32 0.0.0.0 | + | master 7441 8 67073 -1 0 32 0.0.0.0 |
- | - qemu-system-x86 29614 26 71178 16855238 0 32 0.0.0.0 | + | smbd 7560 10 1538 17302752 0 32 0.0.0.0 |
- | - qmgr 7448 8 67073 -1 0 32 0.0.0.0 | + | qemu-system-x86 29614 26 71178 16855238 0 32 0.0.0.0 |
- | - nmbd 7561 11 1538 17302752 0 32 0.0.0.0 | + | qmgr 7448 8 67073 -1 0 32 0.0.0.0 |
- | - syslog-ng 11370 13 40448 -1 0 0 0.0.0.0 | + | nmbd 7561 11 1538 17302752 0 32 0.0.0.0 |
- | - cron 11428 14 71168 -1 0 32 0.0.0.0 | + | syslog-ng 11370 13 40448 -1 0 0 0.0.0.0 |
- | - pdnsd 12945 16 71176 17310912 262144 16416 0.0.0.0 | + | cron 11428 14 71168 -1 0 32 0.0.0.0 |
- | - qemu-system-x86 25748 23 71178 16855238 0 32 0.0.0.0 | + | pdnsd 12945 16 71176 17310912 262144 16416 0.0.0.0 |
- | - qemu-system-x86 26053 24 71178 16855238 0 32 0.0.0.0 | + | qemu-system-x86 25748 23 71178 16855238 0 32 0.0.0.0 |
- | - portmap 6242 2 1537 -1 0 0 0.0.0.0 | + | qemu-system-x86 26053 24 71178 16855238 0 32 0.0.0.0 |
- | - smbd 7556 10 1538 17302752 0 32 0.0.0.0 | + | portmap 6242 2 1537 -1 0 0 0.0.0.0 |
- | - -------------------------------------------------------------------------------- | + | smbd 7556 10 1538 17302752 0 32 0.0.0.0 |
- | - It took 0.94s seconds. | + | -------------------------------------------------------------------------------- |
- | - </code> | + | It took 0.94s seconds. |
- | - Fixme: convert numbers in readable names. | + | </code> |
- | - | + | Fixme: convert numbers in readable names. |
- | - [[wiki:experiences/igraltist/kvm_guest_jail#Start kvmguest with rsbac_jail|Top]] | + | |
- | - | + | [[wiki:experiences/igraltist/kvm_guest_jail#Start kvmguest with rsbac_jail|Top]] |
- | - | + | |