Releases

Current version
Git/Snapshot: 1.5.3
Release: 1.5.0

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- wiki:experiences:igraltist:kvm_guest_jail [2009/07/17 23:51]
127.0.0.1 (old revision restored)
+++ wiki:experiences:igraltist:kvm_guest_jail [2009/08/05 23:30]
127.0.0.1 (old revision restored)
@@ Line 1: / Line 1: @@
-http://botox-spline-pain.a3j.us botox spline pain http://goodyear-allegra-test-results.a3j.us goodyear allegra test results http://mexican-punch-non-alcohol.a3j.us mexican punch non alcohol http://meclizine-at-walgreens.a3j.us meclizine at walgreens http://any-steroids-legal.a3j.us any steroids legal http://amitriptyline-weightgain.a3j.us amitriptyline weightgain http://oxidation-of-vinyl-alcohol.a3j.us oxidation of vinyl alcohol http://bupropion-and-weight-gain.a3j.us bupropion and weight gain http://testosterone-in-foods.a3j.us testosterone in foods http://botox-injection-beverly-hills.a3j.us botox injection beverly hills http://cheapest-alli.a3j.us cheapest alli http://hydrocodone-no-prescription.a3j.us hydrocodone no prescription http://steroids-in-society.a3j.us steroids in society http://imdur-viagra-interactions.a3j.us imdur viagra interactions http://clomid-sore-sex-is-painful.a3j.us clomid sore sex is painful http://wood-alcohol-gas.a3j.us wood alcohol gas http://prednisone-dosage-for-asthma.a3j.us prednisone dosage for asthma http://alcohol-estrogen-levels.a3j.us alcohol estrogen levels http://clarithromyc-of-biaxin.a3j.us clarithromyc of biaxin http://chantix-back-pain.a3j.us chantix back pain http://psilocybin-forum.a3j.us psilocybin forum http://broccoli-and-thyroid.a3j.us broccoli and thyroid http://alcohol-nasal-bleeding.a3j.us alcohol nasal bleeding http://2007-magnesium-compounds.a3j.us 2007 magnesium compounds http://chantix-and-addictions.a3j.us chantix and addictions http://muscle-cramps-and-magnesium.a3j.us muscle cramps and magnesium http://200-celebrex-mg.a3j.us 200 celebrex mg http://famvir-aspirin.a3j.us famvir aspirin http://ambien-librement.a3j.us ambien librement http://facts-about-meclizine.a3j.us facts about meclizine http://ecstasy-health-effects.a3j.us ecstasy health effects http://methocarbamol-rectal.a3j.us methocarbamol rectal http://alcohol-rehabilitation-for-seniors-seattle.a3j.us alcohol rehabilitation for seniors seattle http://tabletop-fountains-from-alcohol-bottles.a3j.us tabletop fountains from alcohol bottles http://best-calcium-citrate-or.a3j.us best calcium citrate or http://5-sildenafil-49.a3j.us 5 sildenafil 49 http://reviews-on-differin.a3j.us reviews on differin http://prempro-law-firm.a3j.us prempro law firm http://alcohol-realted-injuries.a3j.us alcohol realted injuries http://medical-ciprofloxacin.a3j.us medical ciprofloxacin http://propranolol-nightmares.a3j.us propranolol nightmares http://ambien-cr-12.5-tabs.a3j.us ambien cr 12.5 tabs http://xanax-urine-drug-test.a3j.us xanax urine drug test http://ortho-tri-cyclen-without-prescription.a3j.us ortho tri cyclen without prescription http://botox-treatment-northern-virginia.a3j.us botox treatment northern virginia http://dose-for-bactrim-ds.a3j.us dose for bactrim ds http://alli-begirls.a3j.us alli begirls http://taking-ibuprofen-during-pregnancy.a3j.us taking ibuprofen during pregnancy http://soma-pi.a3j.us soma pi http://zofran-and-pregnancy.a3j.us zofran and pregnancy
+-	[[wiki:experiences/igraltist|Back to igraltist's experiences]]
+-
+-
+-
+-	====== Start kvmguest with rsbac_jail ======
+-	Based on the [[wiki:experiences/igraltist/run-jail#run-jail|run-jail]] script and [[wiki:experiences/igraltist/kvm#kvm-admin|kvm-admin]] i do this.
+-
+-	===== kvm-jail-config =====
+-	<code bash>
+-	;
+-	; RSBAC JAIL definition for kvm
+-	; 20080507
+-	;
+-	; Tested by igraltist
+-	;
+-
+-	""
+-	"0.0.0.0"
+-	(allow-dev-read
+-	allow-dev-write
+-	allow-ipc-syslog
+-	allow-ipc-parent
+-	allow-inet-raw
+-	allow-all-net-family)
+-	(net-raw
+-	setgid
+-	setuid
+-	dac-override
+-	net-admin
+-	dac-read-search
+-	sys-resource
+-	sys-module)
+-	()
+-	(rlimit)
+-	</code>
+-
+-
+-
+-
+-
+-
+-
+-
+	===== start kvm-guest =====
+-	See on this [[wiki:experiences/igraltist/kvm#example kvm-guest-config|example kvm-guest-config]] the content from file.
+-
+-	<code bash>
+-	kvm-admin start example
+-	uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)
+-	[Errno 2] No such file or directory: '/vmserver/qemu.img'
+-	Using already existing Tap device.
+-	Setting up tun-tap-device, done ....
+-	The follow command would be executing:
+-	['run-jail', 'kvm', '/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', '-net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime']
+-	</code>
+-	\\
+-	Now I start a guest.
+-	<code bash>
+-	kvm-admin start vserver
+-	uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)
+-	SIOCSIFADDR: Die Operation ist nicht erlaubt
+-	SIOCSIFFLAGS: Die Operation ist nicht erlaubt
+-	SIOCSIFFLAGS: Die Operation ist nicht erlaubt
+-	SIOCSIFFLAGS: Die Operation ist nicht erlaubt
+-	can't add vserver to bridge eth1: Operation not permitted
+-	(if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.)
+-	</code>
+-
+-	If we must add the tap-device = vserver manually to the bridge.\\
+-	In the example is the bridge name dmz_bridge and the tun-tap device name is vserver.
+-	<code bash>
+-	brctl addif dmz_bridge vserver
+-	ifconfig vserver up
+-	</code>
+-
+-	This I see in the rsbac-log, but the guest is running.
+-	<code bash>
+-	<6>0000001281|rsbac_adf_request(): request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
+-	<6>0000001282|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
+-	<6>0000001283|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
+-	<6>0000001284|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
+-	<6>0000001285|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3707, ppid 3705, prog_name brctl, prog_file /sbin/brctl, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL
+-	</code>
+-
+-
+-
+-
+-
+-
+	===== show-jail-info =====
+-	Do this:
+-	<code bash>cat /proc/rsbac-info/jail</code>
+-
+-	or you can use this:\\
+-	[[http://svn.kasten-edv.de/svn/rsbac/trunk/bin/ps-jail.py]]
+-	\\
+-	I get this output. Its very similar to the above.
+-	\\
+-	<code bash>
+-	./ps-jail.py
+-	Loading Jail info for Processes, done.
+-	--------------------------------------------------------------------------------
+-	Processname          Pid  Jail-ID Flags Max-caps  SCD-get  SCD-mod Jail-IP
+-	ntpd                7337      7  1539 50349250        0  6291491 0.0.0.0
+-	dmeventd            7281      6  1537      -1        0  2113536 0.0.0.0
+-	cupsd                7103      3  1546      -1        0      32 0.0.0.0
+-	dhcpd                7224      5  67083  271555        0        0 0.0.0.0
+-	pickup              3286      8  67073      -1        0      32 0.0.0.0
+-	qemu-system-x86      3704    28  71178 16855238        0      32 0.0.0.0
+-	master              7441      8  67073      -1        0      32 0.0.0.0
+-	smbd                7560    10  1538 17302752        0      32 0.0.0.0
+-	qemu-system-x86    29614    26  71178 16855238        0      32 0.0.0.0
+-	qmgr                7448      8  67073      -1        0      32 0.0.0.0
+-	nmbd                7561    11  1538 17302752        0      32 0.0.0.0
+-	syslog-ng          11370    13  40448      -1        0        0 0.0.0.0
+-	cron                11428    14  71168      -1        0      32 0.0.0.0
+-	pdnsd              12945    16  71176 17310912  262144    16416 0.0.0.0
+-	qemu-system-x86    25748    23  71178 16855238        0      32 0.0.0.0
+-	qemu-system-x86    26053    24  71178 16855238        0      32 0.0.0.0
+-	portmap              6242      2  1537      -1        0        0 0.0.0.0
+-	smbd                7556    10  1538 17302752        0      32 0.0.0.0
+-	--------------------------------------------------------------------------------
+-	It took 0.94s seconds.
+-	</code>
+-	Fixme: convert numbers in readable names.
+-
+-	[[wiki:experiences/igraltist/kvm_guest_jail#Start kvmguest with rsbac_jail|Top]]
+-
+-

//