[PATCH] security: Use org namespace for xattrs on macOS
Roman Bolshakov
r.bolshakov at yadro.com
Sun Nov 1 12:40:43 UTC 2020
On Thu, Oct 29, 2020 at 03:23:46PM +0100, Michal Privoznik wrote:
> On 10/29/20 2:36 PM, Andrea Bolognani wrote:
> > On Thu, 2020-10-29 at 12:18 +0100, Michal Privoznik wrote:
>
> >
> > I'm not very familiar with security drivers but I guess the question
> > is: are xattrs a critical part of the security story, without which
> > no isolation is possible at all, or is it conceivable to have
> > security drivers that provide some amount of protection on macOS even
> > though they can't go as far as they can on Linux and FreeBSD?
>
> The way seclabel remmebering works is whenever libvirt wants to
> chown()/setfilecon() the current owner/SELinux label is recorded into XATTRs
> [1] and then on restore we look into these XATTRs and restore to the owner
> stored there. With this it is easy to see that if XATTRs were editable by a
> regular user it is very simple to trick libvirt into changing the owner of a
> file. As easy as:
>
> 1) start a vm with /etc/shadow as a disk
But if you don't run libvirt under root, would there be an issue?
> 2) modify XATTRs so that the original owner recorded is "michal:michal"
> 3) kill the vm
> 4) profit
>
> Now, in Linux and BSD XATTRs must have a prefix. In Linux there are four:
>
> * user - can be modified by anybody,
> * system - used by ACLs
> * security - used by SELinux
> * trusted - accessibly by CAP_SYS_ADMIN processes only
>
> and in BSD there are only two:
>
> * user - can be modified by anybody,
> * system - accessible by CAP_SYS_ADMIN processes only
>
>
> That is why on linux we use "trusted" and on BSD we use "system".
> Therefore, on any new system we must use something equivalent. What is the
> equivalent on macOS? Does it even have namespaces (as in a subset that is
> modifiable only by a CAP_SYS_ADMIN process)?
>
There's no notion of CAP_SYS_ADMIN and zones/jails/namespaces on macOS.
The closest equivalent of Linux namespaces with regards to security are
app sandboxes [1]. It's possible to write sophisticated Lisp-like rules
that restrict an app as much as possible, then run it in a sandbox with
the rules provided. Apple's applications, Firefox [3] and Chromium [4]
heavily use the feature.
1. https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html
2. https://hg.mozilla.org/mozilla-central/file/tip/security/sandbox/mac/SandboxPolicyContent.h
3. https://source.chromium.org/chromium/chromium/src/+/master:sandbox/policy/mac/common.sb
Thanks,
Roman
More information about the libvir-list
mailing list