| 1 |
It is that "little more effort" that displays the main challenge for us: |
| 2 |
resources (human resources) that can contribute on these levels with a |
| 3 |
sufficiently continuous stream of dedication/time commitments. |
| 4 |
|
| 5 |
In my real-life job I already tell others that you can only support a |
| 6 |
technology if you can name 3 people that are supporting it (with all the |
| 7 |
rights and accesses they need). Holidays, sickness or other time |
| 8 |
constraints make it that you can't do with less. |
| 9 |
|
| 10 |
The same holds for Gentoo Hardened subprojects. |
| 11 |
|
| 12 |
I welcome all new ideas and suggestions but it would be even more awesome |
| 13 |
if they come with people taking initiative to work on them. |
| 14 |
|
| 15 |
Wkr |
| 16 |
Sven |
| 17 |
On Mar 4, 2013 5:09 AM, "Walter Stanish" <walter@×××××.sh> wrote: |
| 18 |
|
| 19 |
> Hi there, |
| 20 |
> |
| 21 |
> Not really wanting to make a habit of ideas-only posts, here's another |
| 22 |
> ideas-only post! Apologies if this is well answered somewhere else, |
| 23 |
> but I haven't found anything suitable. |
| 24 |
> |
| 25 |
> Given observations that: |
| 26 |
> (1) A significant part of the Gentoo Hardened project seems to be |
| 27 |
> related to policy-based sandboxing of one kind or another. |
| 28 |
> (2) OpenRC has incorporated cgroups for some time. |
| 29 |
> (3) Fedora has recently begun to distribute the new libvirt-sandbox |
| 30 |
> tool, which despite using the rather clunky* libvirt apparently has |
| 31 |
> lightweight (LXC) support ... see |
| 32 |
> |
| 33 |
> https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/ |
| 34 |
> (announcement) and http://libvirt.org/git/?p=libvirt-sandbox.git |
| 35 |
> (code) |
| 36 |
> (4) Heavier virtualization of server infrastructure is becoming the norm |
| 37 |
> (5) At some point in the future LXC containers should relatively |
| 38 |
> viable as security containers (like now: with user namespace complete |
| 39 |
> in the latest kernel series) |
| 40 |
> (6) Sandboxing is of use not only from a direct |
| 41 |
> access-control/permissions perspective, but also a |
| 42 |
> (availability-challenge related) resource utilization perspective, and |
| 43 |
> that this element is becoming more important with increasing use of |
| 44 |
> virtualization. |
| 45 |
> |
| 46 |
> It might make sense to take a look at the policy types and limitations |
| 47 |
> of various approaches to the problem space in use right now, and where |
| 48 |
> this is all going. |
| 49 |
> |
| 50 |
> Key elements seem to be: |
| 51 |
> (1) Kernel-based RBAC or other security policy toolkits, applying to |
| 52 |
> the system as a whole (excluding app-level policies for the moment). |
| 53 |
> (2) Network virtualization using network namespaces (not excluding |
| 54 |
> the more complex end of the spectrum, eg. Open vSwitch type setups: |
| 55 |
> http://openvswitch.org/) with sandboxing achieved via a combination of |
| 56 |
> network logical segmentation, firewalling policies, etc. |
| 57 |
> (3) General-use sandboxing within build processes (portage, etc.) |
| 58 |
> (4) Execution-time daemon-level sandboxing (SELinux policies, |
| 59 |
> chroots, possible use of containers, etc.) |
| 60 |
> |
| 61 |
> Connecting to all this again, to further complicate matters, and |
| 62 |
> potentially exceptionally useful, is the notion of automated |
| 63 |
> (regression/resource/performance) testing. |
| 64 |
> |
| 65 |
> I can't seem to shake the idea that some group or other (maybe not the |
| 66 |
> hardened project, but definitely of relevance here) could potentially |
| 67 |
> contribute to some combination of: |
| 68 |
> (a) Encouraging OpenRC to implement some form of open daemon-specific |
| 69 |
> policy-integration that enabled sufficiently descriptive policies |
| 70 |
> (such that SELinux, grsec, chroot, LXC, or other security and resource |
| 71 |
> policy-implementation engines could be swapped in and out on a |
| 72 |
> per-daemon basis.) |
| 73 |
> (b) Encouraging Portage to make use of additional sandboxing |
| 74 |
> capabilities, in a pluggable mechanism that matched OpenRC daemon |
| 75 |
> swappable-engine functionality as per (a). |
| 76 |
> (c) Encouraging Portage to make use of automated testing facilities |
| 77 |
> enabled by such a library, with regards to the addition of enhanced |
| 78 |
> policies for the description of network connectivity requirements and |
| 79 |
> other such 'sandbox-external' runtime requirements that ebuilds are |
| 80 |
> presently functionally incapable of specifying. |
| 81 |
> (d) Building a security and resource policy library could be somehow |
| 82 |
> attached to the portage tree in support of points (a) and (b), above. |
| 83 |
> |
| 84 |
> Since (d) is the Gentoo Hardened project's rough domain at present, |
| 85 |
> encouraging some form of integration and extension of existing |
| 86 |
> capabilities, eg. by incorporating requisite virtualized |
| 87 |
> network-environment and extra-sandbox-dependency (eg. external service |
| 88 |
> dependency) parameters, might be useful to ponder. |
| 89 |
> |
| 90 |
> Real world problems that can potentially be (somewhat or completely) |
| 91 |
> automatically resolved but are presently left hanging: |
| 92 |
> - Resource-side (management context: capacity planning, security |
| 93 |
> context: availability) .. any cgroup resource: |
| 94 |
> - Is there a hard limit to the amount of a certain resource (eg. |
| 95 |
> CPU, memory, IO bandwidth, # network interfaces, etc.) to which a |
| 96 |
> given daemon can scale? |
| 97 |
> - What is the ROI profile for additional resources vs. some |
| 98 |
> measurable metric of eg. response time/maximum transactions-per-second |
| 99 |
> scalability? |
| 100 |
> - Is there any benefit in guaranteeing any kind of resource (eg. |
| 101 |
> CPU, memory, IO bandwidth, network bandwidth, etc.) to this daemon? |
| 102 |
> - Security-side |
| 103 |
> - Does killing network connectivity affect the daemon (ie. can I |
| 104 |
> deny network access without issue?) |
| 105 |
> - Training of anomaly-based NIDS (based upon instituting network |
| 106 |
> traffic test-loads on the daemon, assignment of a NIDS virtualized |
| 107 |
> network segment) |
| 108 |
> - Generation of protocol(s) or ports does the daemon require |
| 109 |
> |
| 110 |
> I think Gentoo has the capacity to provide some pretty leading |
| 111 |
> features in this space, with a little more effort. |
| 112 |
> |
| 113 |
> Smiles from the jungles of Zomia, |
| 114 |
> Walter |
| 115 |
> |
| 116 |
> |
Archives