‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On 13 August 2018 1:47 AM, Martin Lucina <mar...@lucina.net> wrote:
> Hi Adam, > > apologies for the delayed reply, I've been on vacation. > > On Sunday, 22.07.2018 at 22:36, Adam Steen wrote: > > > Hi All > > After a quick discussion with Hannes and attempting to implement coredump > > on OpenBSD[1], i found there was no easy way to determine if use_coredump > > was true. ie coredump was enabled., > > I had to remove a tight pledge, privilege drop and chroot just to enable > > coredump, i wasn't sure it was worth it. Hannes suggested turning the > > security changes on or off if coredump was enabled, but we both couldn't > > find a easy way to do this. > > So i am posting here to get the discussion started about, what we can do to > > make this easier. > > The only things i could come up with, with the current code, was to disable > > the security if the dumpcore module was compile in (available). see [2] and > > [3]. > > I wanted to raise this discussion not around my coredump code but about > > determining which module(s) are enabled in the ukvm main/system code > > This is a good question. With the current model of determining modules to > enable at compile time, I would use the same approach for determining > whether or not to "drop privileges" (not sure what best to call this > functionality, suggestions please?). > > Specifically: > > 1. Add a compile-time #define, e.g. UKVM_DROP_PRIVILEGES. In a suitable > header, say ukvm/ukvm.h since that is included by all modules, define this > to 1 if not already defined. I.e. default to dropping privileges. > > 2. ukvm-configure can then manually add -DUKVM_DROP_PRIVILEGES=0 to CFLAGS > if dumpcore has been requested. > > 3. If UKVM_DROP_PRIVILEGES=1, you get the current behaviour in your code. > 4. If UKVM_DROP_PRIVILEGES=0, privilege dropping is disabled AND ukvm > prints a stern warning to this effect at startup, including something > about > not being recommended for production, etc. > > Separately from this, and with a view to adding some amount of privilege > dropping by default on other systems besides OpenBSD, I think that: > > 5. The privilege dropping code should be moved into its own top-level > function, e.g. ukvm_hv_drop_privileges(), which goes into ukvm_hv_<os>.c. > > > 2. This function is clearly called from ukvm/ukvm_main.c, just before > entering the VCPU loop(?). This would also be where the #if printing the > warning if disabled (see (4) above) goes. > > As for what privileges should exactly be dropped on other OSes by default, > I need to think about that a bit more and will follow up during the week. > However, this should be enough to get you started. > > Would this approach work for you? Any other opinions? > > Cheers, > > -mato this approach works really well, i like it! I hope to have something along these lines this week! Cheers Adam
