1 |
It is that "little more effort" that displays the main challenge for us: |
2 |
resources (human resources) that can contribute on these levels with a |
3 |
sufficiently continuous stream of dedication/time commitments. |
4 |
|
5 |
In my real-life job I already tell others that you can only support a |
6 |
technology if you can name 3 people that are supporting it (with all the |
7 |
rights and accesses they need). Holidays, sickness or other time |
8 |
constraints make it that you can't do with less. |
9 |
|
10 |
The same holds for Gentoo Hardened subprojects. |
11 |
|
12 |
I welcome all new ideas and suggestions but it would be even more awesome |
13 |
if they come with people taking initiative to work on them. |
14 |
|
15 |
Wkr |
16 |
Sven |
17 |
On Mar 4, 2013 5:09 AM, "Walter Stanish" <walter@×××××.sh> wrote: |
18 |
|
19 |
> Hi there, |
20 |
> |
21 |
> Not really wanting to make a habit of ideas-only posts, here's another |
22 |
> ideas-only post! Apologies if this is well answered somewhere else, |
23 |
> but I haven't found anything suitable. |
24 |
> |
25 |
> Given observations that: |
26 |
> (1) A significant part of the Gentoo Hardened project seems to be |
27 |
> related to policy-based sandboxing of one kind or another. |
28 |
> (2) OpenRC has incorporated cgroups for some time. |
29 |
> (3) Fedora has recently begun to distribute the new libvirt-sandbox |
30 |
> tool, which despite using the rather clunky* libvirt apparently has |
31 |
> lightweight (LXC) support ... see |
32 |
> |
33 |
> https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/ |
34 |
> (announcement) and http://libvirt.org/git/?p=libvirt-sandbox.git |
35 |
> (code) |
36 |
> (4) Heavier virtualization of server infrastructure is becoming the norm |
37 |
> (5) At some point in the future LXC containers should relatively |
38 |
> viable as security containers (like now: with user namespace complete |
39 |
> in the latest kernel series) |
40 |
> (6) Sandboxing is of use not only from a direct |
41 |
> access-control/permissions perspective, but also a |
42 |
> (availability-challenge related) resource utilization perspective, and |
43 |
> that this element is becoming more important with increasing use of |
44 |
> virtualization. |
45 |
> |
46 |
> It might make sense to take a look at the policy types and limitations |
47 |
> of various approaches to the problem space in use right now, and where |
48 |
> this is all going. |
49 |
> |
50 |
> Key elements seem to be: |
51 |
> (1) Kernel-based RBAC or other security policy toolkits, applying to |
52 |
> the system as a whole (excluding app-level policies for the moment). |
53 |
> (2) Network virtualization using network namespaces (not excluding |
54 |
> the more complex end of the spectrum, eg. Open vSwitch type setups: |
55 |
> http://openvswitch.org/) with sandboxing achieved via a combination of |
56 |
> network logical segmentation, firewalling policies, etc. |
57 |
> (3) General-use sandboxing within build processes (portage, etc.) |
58 |
> (4) Execution-time daemon-level sandboxing (SELinux policies, |
59 |
> chroots, possible use of containers, etc.) |
60 |
> |
61 |
> Connecting to all this again, to further complicate matters, and |
62 |
> potentially exceptionally useful, is the notion of automated |
63 |
> (regression/resource/performance) testing. |
64 |
> |
65 |
> I can't seem to shake the idea that some group or other (maybe not the |
66 |
> hardened project, but definitely of relevance here) could potentially |
67 |
> contribute to some combination of: |
68 |
> (a) Encouraging OpenRC to implement some form of open daemon-specific |
69 |
> policy-integration that enabled sufficiently descriptive policies |
70 |
> (such that SELinux, grsec, chroot, LXC, or other security and resource |
71 |
> policy-implementation engines could be swapped in and out on a |
72 |
> per-daemon basis.) |
73 |
> (b) Encouraging Portage to make use of additional sandboxing |
74 |
> capabilities, in a pluggable mechanism that matched OpenRC daemon |
75 |
> swappable-engine functionality as per (a). |
76 |
> (c) Encouraging Portage to make use of automated testing facilities |
77 |
> enabled by such a library, with regards to the addition of enhanced |
78 |
> policies for the description of network connectivity requirements and |
79 |
> other such 'sandbox-external' runtime requirements that ebuilds are |
80 |
> presently functionally incapable of specifying. |
81 |
> (d) Building a security and resource policy library could be somehow |
82 |
> attached to the portage tree in support of points (a) and (b), above. |
83 |
> |
84 |
> Since (d) is the Gentoo Hardened project's rough domain at present, |
85 |
> encouraging some form of integration and extension of existing |
86 |
> capabilities, eg. by incorporating requisite virtualized |
87 |
> network-environment and extra-sandbox-dependency (eg. external service |
88 |
> dependency) parameters, might be useful to ponder. |
89 |
> |
90 |
> Real world problems that can potentially be (somewhat or completely) |
91 |
> automatically resolved but are presently left hanging: |
92 |
> - Resource-side (management context: capacity planning, security |
93 |
> context: availability) .. any cgroup resource: |
94 |
> - Is there a hard limit to the amount of a certain resource (eg. |
95 |
> CPU, memory, IO bandwidth, # network interfaces, etc.) to which a |
96 |
> given daemon can scale? |
97 |
> - What is the ROI profile for additional resources vs. some |
98 |
> measurable metric of eg. response time/maximum transactions-per-second |
99 |
> scalability? |
100 |
> - Is there any benefit in guaranteeing any kind of resource (eg. |
101 |
> CPU, memory, IO bandwidth, network bandwidth, etc.) to this daemon? |
102 |
> - Security-side |
103 |
> - Does killing network connectivity affect the daemon (ie. can I |
104 |
> deny network access without issue?) |
105 |
> - Training of anomaly-based NIDS (based upon instituting network |
106 |
> traffic test-loads on the daemon, assignment of a NIDS virtualized |
107 |
> network segment) |
108 |
> - Generation of protocol(s) or ports does the daemon require |
109 |
> |
110 |
> I think Gentoo has the capacity to provide some pretty leading |
111 |
> features in this space, with a little more effort. |
112 |
> |
113 |
> Smiles from the jungles of Zomia, |
114 |
> Walter |
115 |
> |
116 |
> |