Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
wiki:experiences:igraltist:kvm_guest_jail [2009/07/07 23:44] 127.0.0.1 (old revision restored) |
wiki:experiences:igraltist:kvm_guest_jail [2011/01/07 14:39] (current) 127.0.0.1 (old revision restored) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | - [[wiki:experiences/igraltist|Back to igraltist's experiences]] | + | [[wiki:experiences/igraltist#kvm_on_rsbac|Back to igraltist's experiences/KVM on RSBAC]] |
- | - | + | |
- | - | + | |
- | - | + | |
- | - ====== Start kvmguest with rsbac_jail ====== | + | ====== Start kvmguest with rsbac_jail ====== |
- | - Based on the [[wiki:experiences/igraltist/run-jail#run-jail|run-jail]] script and [[wiki:experiences/igraltist/kvm#kvm-admin|kvm-admin]] i do this. | + | Based on the [[wiki:experiences/igraltist/run-jail#run-jail|run-jail]] script and [[wiki:experiences/igraltist/kvm#kvm-admin|kvm-admin]] i do this. |
- | - | + | |
- | - ===== kvm-jail-config ===== | + | ===== kvm-jail-config ===== |
- | - <code bash> | + | <code bash> |
- | - ; | + | ; |
- | - ; RSBAC JAIL definition for kvm | + | ; RSBAC JAIL definition for kvm |
- | - ; 20080507 | + | ; 20080507 |
- | - ; | + | ; |
- | - ; Tested by igraltist | + | ; Tested by igraltist |
- | - ; | + | ; |
- | - | + | |
- | - "" | + | "" |
- | - "0.0.0.0" | + | "0.0.0.0" |
- | - (allow-dev-read | + | (allow-dev-read |
- | - allow-dev-write | + | allow-dev-write |
- | - allow-ipc-syslog | + | allow-ipc-syslog |
- | - allow-ipc-parent | + | allow-ipc-parent |
- | - allow-inet-raw | + | allow-inet-raw |
- | - allow-all-net-family) | + | allow-all-net-family) |
- | - (net-raw | + | (net-raw |
- | - setgid | + | setgid |
- | - setuid | + | setuid |
- | - dac-override | + | dac-override |
- | - net-admin | + | net-admin |
- | - dac-read-search | + | dac-read-search |
- | - sys-resource | + | sys-resource |
- | - sys-module) | + | sys-module) |
- | - () | + | () |
- | - (rlimit) | + | (rlimit) |
- | - </code> | + | </code> |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | ===== start kvm-guest ===== | + | ===== start kvm-guest ===== |
- | - See on this [[wiki:experiences/igraltist/kvm#example kvm-guest-config|example kvm-guest-config]] the content from file. | + | See on this [[wiki:experiences/igraltist/kvm#example kvm-guest-config|example kvm-guest-config]] the content from file. |
- | - | + | |
- | - <code bash> | + | <code bash> |
- | - kvm-admin start example | + | kvm-admin start example |
- | - uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb) | + | uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb) |
- | - [Errno 2] No such file or directory: '/vmserver/qemu.img' | + | [Errno 2] No such file or directory: '/vmserver/qemu.img' |
- | - Using already existing Tap device. | + | Using already existing Tap device. |
- | - Setting up tun-tap-device, done .... | + | Setting up tun-tap-device, done .... |
- | - The follow command would be executing: | + | The follow command would be executing: |
- | - ['run-jail', 'kvm', '/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', '-net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime'] | + | ['run-jail', 'kvm', '/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', -net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime'] |
- | - </code> | + | </code> |
- | - \\ | + | \\ |
- | - Now I start a guest. | + | Now I start a guest. |
- | - <code bash> | + | <code bash> |
- | - kvm-admin start vserver | + | kvm-admin start vserver |
- | - uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb) | + | uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb) |
- | - SIOCSIFADDR: Die Operation ist nicht erlaubt | + | SIOCSIFADDR: Die Operation ist nicht erlaubt |
- | - SIOCSIFFLAGS: Die Operation ist nicht erlaubt | + | SIOCSIFFLAGS: Die Operation ist nicht erlaubt |
- | - SIOCSIFFLAGS: Die Operation ist nicht erlaubt | + | SIOCSIFFLAGS: Die Operation ist nicht erlaubt |
- | - SIOCSIFFLAGS: Die Operation ist nicht erlaubt | + | SIOCSIFFLAGS: Die Operation ist nicht erlaubt |
- | - can't add vserver to bridge eth1: Operation not permitted | + | can't add vserver to bridge eth1: Operation not permitted |
- | - (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.) | + | (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.) |
- | - </code> | + | </code> |
- | - | + | |
- | - If we must add the tap-device = vserver manually to the bridge.\\ | + | If we must add the tap-device = vserver manually to the bridge.\\ |
- | - In the example is the bridge name dmz_bridge and the tun-tap device name is vserver. | + | In the example is the bridge name dmz_bridge and the tun-tap device name is vserver. |
- | - <code bash> | + | <code bash> |
- | - brctl addif dmz_bridge vserver | + | brctl addif dmz_bridge vserver |
- | - ifconfig vserver up | + | ifconfig vserver up |
- | - </code> | + | </code> |
- | - | + | |
- | - This I see in the rsbac-log, but the guest is running. | + | This I see in the rsbac-log, but the guest is running. |
- | - <code bash> | + | <code bash> |
- | - <6>0000001281|rsbac_adf_request(): request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL | + | <6>0000001281|rsbac_adf_request(): request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL |
- | - <6>0000001282|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL | + | <6>0000001282|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL |
- | - <6>0000001283|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL | + | <6>0000001283|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL |
- | - <6>0000001284|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL | + | <6>0000001284|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL |
- | - <6>0000001285|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3707, ppid 3705, prog_name brctl, prog_file /sbin/brctl, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL | + | <6>0000001285|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3707, ppid 3705, prog_name brctl, prog_file /sbin/brctl, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL |
- | - </code> | + | </code> |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
- | - | + | |
+ | ===== show-jail-info ===== | ||
+ | Do this: | ||
+ | <code bash>cat /proc/rsbac-info/jail</code> | ||
+ | |||
+ | or you can use this:\\ | ||
+ | [[http://svn.kasten-edv.de/svn/rsbac/trunk/bin/ps-jail.py]] | ||
+ | \\ | ||
+ | I get this output. Its very similar to the above. | ||
+ | \\ | ||
+ | <code bash> | ||
+ | ./ps-jail.py | ||
+ | Loading Jail info for Processes, done. | ||
+ | -------------------------------------------------------------------------------- | ||
+ | Processname Pid Jail-ID Flags Max-caps SCD-get SCD-mod Jail-IP | ||
+ | ntpd 7337 7 1539 50349250 0 6291491 0.0.0.0 | ||
+ | dmeventd 7281 6 1537 -1 0 2113536 0.0.0.0 | ||
+ | cupsd 7103 3 1546 -1 0 32 0.0.0.0 | ||
+ | dhcpd 7224 5 67083 271555 0 0 0.0.0.0 | ||
+ | pickup 3286 8 67073 -1 0 32 0.0.0.0 | ||
+ | qemu-system-x86 3704 28 71178 16855238 0 32 0.0.0.0 | ||
+ | master 7441 8 67073 -1 0 32 0.0.0.0 | ||
+ | smbd 7560 10 1538 17302752 0 32 0.0.0.0 | ||
+ | qemu-system-x86 29614 26 71178 16855238 0 32 0.0.0.0 | ||
+ | qmgr 7448 8 67073 -1 0 32 0.0.0.0 | ||
+ | nmbd 7561 11 1538 17302752 0 32 0.0.0.0 | ||
+ | syslog-ng 11370 13 40448 -1 0 0 0.0.0.0 | ||
+ | cron 11428 14 71168 -1 0 32 0.0.0.0 | ||
+ | pdnsd 12945 16 71176 17310912 262144 16416 0.0.0.0 | ||
+ | qemu-system-x86 25748 23 71178 16855238 0 32 0.0.0.0 | ||
+ | qemu-system-x86 26053 24 71178 16855238 0 32 0.0.0.0 | ||
+ | portmap 6242 2 1537 -1 0 0 0.0.0.0 | ||
+ | smbd 7556 10 1538 17302752 0 32 0.0.0.0 | ||
+ | -------------------------------------------------------------------------------- | ||
+ | It took 0.94s seconds. | ||
+ | </code> | ||
+ | Fixme: convert numbers in readable names. | ||
+ | |||
+ | [[wiki:experiences/igraltist/kvm_guest_jail#Start kvmguest with rsbac_jail|Top]] | ||
+ | |||
- | ===== show-jail-info ===== | ||
- | - Do this: | ||
- | - <code bash>cat /proc/rsbac-info/jail</code> | ||
- | - | ||
- | - or you can use this:\\ | ||
- | - [[http://svn.kasten-edv.de/svn/rsbac/trunk/bin/ps-jail.py]] | ||
- | - \\ | ||
- | - I get this output. Its very similar to the above. | ||
- | - \\ | ||
- | - <code bash> | ||
- | - ./ps-jail.py | ||
- | - Loading Jail info for Processes, done. | ||
- | - -------------------------------------------------------------------------------- | ||
- | - Processname Pid Jail-ID Flags Max-caps SCD-get SCD-mod Jail-IP | ||
- | - ntpd 7337 7 1539 50349250 0 6291491 0.0.0.0 | ||
- | - dmeventd 7281 6 1537 -1 0 2113536 0.0.0.0 | ||
- | - cupsd 7103 3 1546 -1 0 32 0.0.0.0 | ||
- | - dhcpd 7224 5 67083 271555 0 0 0.0.0.0 | ||
- | - pickup 3286 8 67073 -1 0 32 0.0.0.0 | ||
- | - qemu-system-x86 3704 28 71178 16855238 0 32 0.0.0.0 | ||
- | - master 7441 8 67073 -1 0 32 0.0.0.0 | ||
- | - smbd 7560 10 1538 17302752 0 32 0.0.0.0 | ||
- | - qemu-system-x86 29614 26 71178 16855238 0 32 0.0.0.0 | ||
- | - qmgr 7448 8 67073 -1 0 32 0.0.0.0 | ||
- | - nmbd 7561 11 1538 17302752 0 32 0.0.0.0 | ||
- | - syslog-ng 11370 13 40448 -1 0 0 0.0.0.0 | ||
- | - cron 11428 14 71168 -1 0 32 0.0.0.0 | ||
- | - pdnsd 12945 16 71176 17310912 262144 16416 0.0.0.0 | ||
- | - qemu-system-x86 25748 23 71178 16855238 0 32 0.0.0.0 | ||
- | - qemu-system-x86 26053 24 71178 16855238 0 32 0.0.0.0 | ||
- | - portmap 6242 2 1537 -1 0 0 0.0.0.0 | ||
- | - smbd 7556 10 1538 17302752 0 32 0.0.0.0 | ||
- | - -------------------------------------------------------------------------------- | ||
- | - It took 0.94s seconds. | ||
- | - </code> | ||
- | - Fixme: convert numbers in readable names. | ||
- | - | ||
- | - [[wiki:experiences/igraltist/kvm_guest_jail#Start kvmguest with rsbac_jail|Top]] | ||
- | - | ||
- | - | ||