On 26 November 2010 04:07, Jeff Victor <jeff.j.vic...@gmail.com> wrote:
> On Thu, Nov 25, 2010 at 9:21 AM, Petr Benes <petr...@gmail.com> wrote:
>>> Limit the damage if the Zone's VBox application is somehow
>>> subverted by the guest OS.
>> There are VBox modules in the kernel and the containers framework
>> can't stop misbehavior in kernelspace.
> The use of kernel modules in VBox doesn't weaken the security of
> Zones. Other software accessible in a zone ultimately uses kernel
> modules. Gaining unfettered control over kernel space is the hard
> part. In any case, please see more detail below.
>>> Beyond security, running VBox in a Zone allows you to make
>>> use of Zone Resource Controls and Crossbow networking.
>>> Cool stuff!
>> No question about cool features. My concern is if running VBox in a
>> local zone has any security advantage regarding an evil guest over
>> running it in the global one. And if so, why?
> Because all processes running in a zone run with a reduced privilege
> set, compared to processes running in the global zone. For example, a
> process in a zone cannot have the proc_zone privilege, so a process in
> one zone cannot send a signal to another process. Also, by default, a
> process in a zone does not have the sys_time privilege, so it cannot
> change the system's time clock. (The global zone administrator can
> give the sys_time privilege to one or more zones, after which they
> would be able to change the system's time clock.) See the man page
How could a guest inside the VBox use any of these features?
All privileged stuff is done via /dev/vbox* you granted the zone
to access if I got it correctly.
> Is the security framework of Zones good enough? An independent
> security certification gave Solaris Trusted Extensions (which uses
> Zones to compartmentalize information) a rating of EAL4+ with three
> different profiles - the highest rating achieved by a general purpose
> operating system.
> For more information on security and Solaris Zones, please read the
> paper "Understanding the Security Capabilities of Solaris Zones"
> written by Glenn Brunette and myself:
That's actually a bit different use and will be plausible only after
VBox will be certified to
run under trusted zones.
zones-discuss mailing list