Releases

Current version
Git/Snapshot: 1.5.3
Release: 1.5.0

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- wiki:experiences:igraltist:kvm_guest_jail [2009/07/18 00:00]
127.0.0.1 (old revision restored)
+++ wiki:experiences:igraltist:kvm_guest_jail [2009/08/05 23:30]
127.0.0.1 (old revision restored)
@@ Line 1: / Line 1: @@
-http://taking-prozac-whle-pregnant.a3j.us taking prozac whle pregnant http://acyclovir-treatment-for-cicatrical-phemigus.a3j.us acyclovir treatment for cicatrical phemigus http://50-mg-zoloft-picture.a3j.us 50 mg zoloft picture http://enablex-sintex.a3j.us enablex sintex http://adverse-reactions-to-metrogel-vaginal.a3j.us adverse reactions to metrogel vaginal http://this-is-f-ing-ecstasy.a3j.us this is f ing ecstasy http://carisoprodol-onlinea.a3j.us carisoprodol onlinea http://fuel-cell-sensor-alcohol-analysers.a3j.us fuel cell sensor alcohol analysers http://what-is-anti-thyroid-peroxidase.a3j.us what is anti thyroid peroxidase http://lamisil-coupons.a3j.us lamisil coupons http://using-heroin-on-suboxone.a3j.us using heroin on suboxone http://generic-diethylpropion.a3j.us generic diethylpropion http://cialis-target-market.a3j.us cialis target market http://mail-order-arimidex.a3j.us mail order arimidex http://alcohol-rehabilitation-st-louis-mo.a3j.us alcohol rehabilitation st louis mo http://ambien-and-beer.a3j.us ambien and beer http://womans-aspirin-with-calcium.a3j.us womans aspirin with calcium http://order-testosterone-cypionate-discreet-billing.a3j.us order testosterone cypionate discreet billing http://prednisone-similar.a3j.us prednisone similar http://allied-offensive-of-southern-france.a3j.us allied offensive of southern france http://fentynal-oxycontin-conversion.a3j.us fentynal oxycontin conversion http://amitiza-zelnorm-comparison.a3j.us amitiza zelnorm comparison http://can-people-take-butorphanol.a3j.us can people take butorphanol http://allied-video.a3j.us allied video http://azithromycin-and-anaphylactic.a3j.us azithromycin and anaphylactic http://effect-of-zocor-on-bilirubin.a3j.us effect of zocor on bilirubin http://trileptal-for-behavior-control.a3j.us trileptal for behavior control http://makita-lithium-battery.a3j.us makita lithium battery http://methylphenidate-dea-schedule-class.a3j.us methylphenidate dea schedule class http://hostory-of-alcohol.a3j.us hostory of alcohol http://what-gland-regulates-potassium.a3j.us what gland regulates potassium http://yaz-and-leg-cramps.a3j.us yaz and leg cramps http://female-athletes-triad-plasma-calcium.a3j.us female athletes triad plasma calcium http://allied-lsp-half-back-sale.a3j.us allied lsp half back sale http://mucous-stool-phenergan-side-effect.a3j.us mucous stool phenergan side effect http://thyroid-65-mg-weight-loss.a3j.us thyroid 65 mg weight loss http://statin-ibuprofen.a3j.us statin ibuprofen http://omeprazole-20mg-600-pills.a3j.us omeprazole 20mg 600 pills http://goldenrod-thyroid.a3j.us goldenrod thyroid http://lisinopril-versus-benicar.a3j.us lisinopril versus benicar http://acne-from-zyprexa.a3j.us acne from zyprexa http://calcium-in-vegtables.a3j.us calcium in vegtables http://boniva-pain.a3j.us boniva pain http://diaes-insulin-injection-sites.a3j.us diaes insulin injection sites http://cymbalta-good-blog.a3j.us cymbalta good blog http://abg-10-oxycodone.a3j.us abg 10 oxycodone http://is-coumadin-a-poison.a3j.us is coumadin a poison http://high-on-flexeril.a3j.us high on flexeril http://canada-finasteride.a3j.us canada finasteride http://buy-phentermine-with-fast-shipping.a3j.us buy phentermine with fast shipping
+-	[[wiki:experiences/igraltist|Back to igraltist's experiences]]
+-
+-
+-
+-	====== Start kvmguest with rsbac_jail ======
+-	Based on the [[wiki:experiences/igraltist/run-jail#run-jail|run-jail]] script and [[wiki:experiences/igraltist/kvm#kvm-admin|kvm-admin]] i do this.
+-
+-	===== kvm-jail-config =====
+-	<code bash>
+-	;
+-	; RSBAC JAIL definition for kvm
+-	; 20080507
+-	;
+-	; Tested by igraltist
+-	;
+-
+-	""
+-	"0.0.0.0"
+-	(allow-dev-read
+-	allow-dev-write
+-	allow-ipc-syslog
+-	allow-ipc-parent
+-	allow-inet-raw
+-	allow-all-net-family)
+-	(net-raw
+-	setgid
+-	setuid
+-	dac-override
+-	net-admin
+-	dac-read-search
+-	sys-resource
+-	sys-module)
+-	()
+-	(rlimit)
+-	</code>
+-
+-
+-
+-
+-
+-
+-
+-
+	===== start kvm-guest =====
+-	See on this [[wiki:experiences/igraltist/kvm#example kvm-guest-config|example kvm-guest-config]] the content from file.
+-
+-	<code bash>
+-	kvm-admin start example
+-	uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)
+-	[Errno 2] No such file or directory: '/vmserver/qemu.img'
+-	Using already existing Tap device.
+-	Setting up tun-tap-device, done ....
+-	The follow command would be executing:
+-	['run-jail', 'kvm', '/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', '-net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime']
+-	</code>
+-	\\
+-	Now I start a guest.
+-	<code bash>
+-	kvm-admin start vserver
+-	uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb)
+-	SIOCSIFADDR: Die Operation ist nicht erlaubt
+-	SIOCSIFFLAGS: Die Operation ist nicht erlaubt
+-	SIOCSIFFLAGS: Die Operation ist nicht erlaubt
+-	SIOCSIFFLAGS: Die Operation ist nicht erlaubt
+-	can't add vserver to bridge eth1: Operation not permitted
+-	(if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.)
+-	</code>
+-
+-	If we must add the tap-device = vserver manually to the bridge.\\
+-	In the example is the bridge name dmz_bridge and the tun-tap device name is vserver.
+-	<code bash>
+-	brctl addif dmz_bridge vserver
+-	ifconfig vserver up
+-	</code>
+-
+-	This I see in the rsbac-log, but the guest is running.
+-	<code bash>
+-	<6>0000001281|rsbac_adf_request(): request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
+-	<6>0000001282|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
+-	<6>0000001283|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
+-	<6>0000001284|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL
+-	<6>0000001285|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3707, ppid 3705, prog_name brctl, prog_file /sbin/brctl, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL
+-	</code>
+-
+-
+-
+-
+-
+-
+	===== show-jail-info =====
+-	Do this:
+-	<code bash>cat /proc/rsbac-info/jail</code>
+-
+-	or you can use this:\\
+-	[[http://svn.kasten-edv.de/svn/rsbac/trunk/bin/ps-jail.py]]
+-	\\
+-	I get this output. Its very similar to the above.
+-	\\
+-	<code bash>
+-	./ps-jail.py
+-	Loading Jail info for Processes, done.
+-	--------------------------------------------------------------------------------
+-	Processname          Pid  Jail-ID Flags Max-caps  SCD-get  SCD-mod Jail-IP
+-	ntpd                7337      7  1539 50349250        0  6291491 0.0.0.0
+-	dmeventd            7281      6  1537      -1        0  2113536 0.0.0.0
+-	cupsd                7103      3  1546      -1        0      32 0.0.0.0
+-	dhcpd                7224      5  67083  271555        0        0 0.0.0.0
+-	pickup              3286      8  67073      -1        0      32 0.0.0.0
+-	qemu-system-x86      3704    28  71178 16855238        0      32 0.0.0.0
+-	master              7441      8  67073      -1        0      32 0.0.0.0
+-	smbd                7560    10  1538 17302752        0      32 0.0.0.0
+-	qemu-system-x86    29614    26  71178 16855238        0      32 0.0.0.0
+-	qmgr                7448      8  67073      -1        0      32 0.0.0.0
+-	nmbd                7561    11  1538 17302752        0      32 0.0.0.0
+-	syslog-ng          11370    13  40448      -1        0        0 0.0.0.0
+-	cron                11428    14  71168      -1        0      32 0.0.0.0
+-	pdnsd              12945    16  71176 17310912  262144    16416 0.0.0.0
+-	qemu-system-x86    25748    23  71178 16855238        0      32 0.0.0.0
+-	qemu-system-x86    26053    24  71178 16855238        0      32 0.0.0.0
+-	portmap              6242      2  1537      -1        0        0 0.0.0.0
+-	smbd                7556    10  1538 17302752        0      32 0.0.0.0
+-	--------------------------------------------------------------------------------
+-	It took 0.94s seconds.
+-	</code>
+-	Fixme: convert numbers in readable names.
+-
+-	[[wiki:experiences/igraltist/kvm_guest_jail#Start kvmguest with rsbac_jail|Top]]
+-
+-

//