"Adding containers to the basic functionality of an init only improves things."

Adding a /etc/rc.d/jail script improves security;-)

There are 2 things:

1. To add more functionality in the same tool increases complexity.

Complexity never increases security.

That is so obvious that it is hard to believe that someone would argue otherwise.

Do everything once, do not make it more complex as needed, and do it right.

2. Linux has cgroups and namespaces but some Linux design decisions are in the way of using them as _secure_ containers.

Procfs is an example for it. It's simply not designed with security in mind, and the access to it is difficult to restrict.

Page 40 of http://www.slideshare.net/jpetazzo/docker-linux-containers-lxc-and-security mentions it, says "needs to be fixed" and offers workarounds.

The spread of Docker in such an environment( which can be only described as "hopefully safe enough") is a worry.

FreeBSD jail(8) is in use for many years and can be considered as safe. The pitfalls are known, disabled in the default setup, well documented, and there are no 'hopefully safe"s in it.

"Which is still a minor issue compared to web browsers, MUAs..'

They do not run on my servers, and they should not be an excuse to run other software which is overly complex because Russell considers it as a "lesser evil";-)

To go to your own stuff, e.g. SELinux:

A jail script can be subject to SELinux policies so jails can be restricted that way. This would apply to all jails, and nothing else.

If this is part of a larger binary which does all of init: SELinux cannot be applied in a similar way.
 
Regards
Peter


On Wed, Aug 12, 2015 at 11:52 AM, Russell Coker <russell@coker.com.au> wrote:
On Mon, 10 Aug 2015 03:25:30 PM Peter Ross wrote:
> > Finally the vast majority of Linux systems are single user.  That means
> > Android phones/tablets and desktop PCs running GNOME, KDE, etc.
> > There is no need to compromise init.
>
> systemd takes care of Linux containers which provide or can provide
> user/application separation. A flaw in this leaves you with a false sense
> of security, in case you use it.

People say that about every improvement to Linux security.  But the usual case
is that people don't rely on such measures as a single level of security.
Usually Unix permissions are the first level and containers etc are only used
as a fallback.  This is different to the case where a jail is used instead of a
virtual machine.

Adding containers to the basic functionality of an init only improves things.

--
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/