[PATCH] security: Use org namespace for xattrs on macOS

Roman Bolshakov r.bolshakov at yadro.com
Sun Nov 1 12:40:43 UTC 2020 

On Thu, Oct 29, 2020 at 03:23:46PM +0100, Michal Privoznik wrote:
> On 10/29/20 2:36 PM, Andrea Bolognani wrote:
> > On Thu, 2020-10-29 at 12:18 +0100, Michal Privoznik wrote:
> 
> > 
> > I'm not very familiar with security drivers but I guess the question
> > is: are xattrs a critical part of the security story, without which
> > no isolation is possible at all, or is it conceivable to have
> > security drivers that provide some amount of protection on macOS even
> > though they can't go as far as they can on Linux and FreeBSD?
> 
> The way seclabel remmebering works is whenever libvirt wants to
> chown()/setfilecon() the current owner/SELinux label is recorded into XATTRs
> [1] and then on restore we look into these XATTRs and restore to the owner
> stored there. With this it is easy to see that if XATTRs were editable by a
> regular user it is very simple to trick libvirt into changing the owner of a
> file. As easy as:
> 
> 1) start a vm with /etc/shadow as a disk

But if you don't run libvirt under root, would there be an issue?

> 2) modify XATTRs so that the original owner recorded is "michal:michal"
> 3) kill the vm
> 4) profit
> 
> Now, in Linux and BSD XATTRs must have a prefix. In Linux there are four:
> 
>  *  user - can be modified by anybody,
>  *  system - used by ACLs
>  *  security - used by SELinux
>  *  trusted - accessibly by CAP_SYS_ADMIN processes only
> 
> and in BSD there are only two:
> 
>  *  user - can be modified by anybody,
>  *  system - accessible by CAP_SYS_ADMIN processes only
> 
> 
> That is why on linux we use "trusted" and on BSD we use "system".
> Therefore, on any new system we must use something equivalent. What is the
> equivalent on macOS? Does it even have namespaces (as in a subset that is
> modifiable only by a CAP_SYS_ADMIN process)?
> 

There's no notion of CAP_SYS_ADMIN and zones/jails/namespaces on macOS.
The closest equivalent of Linux namespaces with regards to security are
app sandboxes [1]. It's possible to write sophisticated Lisp-like rules
that restrict an app as much as possible, then run it in a sandbox with
the rules provided.  Apple's applications, Firefox [3] and Chromium [4]
heavily use the feature.

1. https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html
2. https://hg.mozilla.org/mozilla-central/file/tip/security/sandbox/mac/SandboxPolicyContent.h
3. https://source.chromium.org/chromium/chromium/src/+/master:sandbox/policy/mac/common.sb

Thanks,
Roman

More information about the libvir-list mailing list