Namespaces for security Jake Edge, LWN.net, jake@lwn.net Embedded - - PowerPoint PPT Presentation

namespaces for security
SMART_READER_LITE
LIVE PREVIEW

Namespaces for security Jake Edge, LWN.net, jake@lwn.net Embedded - - PowerPoint PPT Presentation

Jan 21, 2024 106 likes •266 views

Namespaces for security Jake Edge, LWN.net, jake@lwn.net Embedded Linux Conference, San Francisco February 21, 2013 What are we going to be talking about? Threats Effects Defenses Namespaces Types of namespaces Creating

slide-1
SLIDE 1

Namespaces for security

Jake Edge, LWN.net, jake@lwn.net Embedded Linux Conference, San Francisco February 21, 2013

slide-2
SLIDE 2

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

What are we going to be talking about?

  • Threats
  • Effects
  • Defenses
  • Namespaces
  • Types of namespaces
  • Creating namespaces
  • Using namespaces
  • Examples
slide-3
SLIDE 3

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

What kinds of threats are we talking about?

  • Mass attacks
  • Network-facing services
  • Network clients
  • DNS cache poisoning
  • Web application flaws
  • Cross-site attacks
  • ...
slide-4
SLIDE 4

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

What are the effects of typical attacks?

  • Service account compromise

– Can perform any action service could do

  • Network, filesystems, processes
  • Network access

– Spam, DDoS, Botnet

  • Filesystem access

– Confidential information, config settings

  • Process access

– ptrace(), kill()

  • Privilege escalation
slide-5
SLIDE 5

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

How do we normally avoid those threats?

  • Unix permissions
  • Users and groups
  • Mandatory access control (MAC)
  • Capabilities (CAP_SYS_ADMIN, CAP_NET_ADMIN, ...)
  • Seccomp sandbox
  • ...
slide-6
SLIDE 6

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

Namespaces

  • Mechanism to partition global resources
  • Provides invisibility
  • Lightweight virtualization
  • Containers
  • Testing, debugging
  • Security
slide-7
SLIDE 7

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

Types of namespaces

  • UTS – Unix timesharing (host and domain name)
  • Mount
  • Processes (PID)
  • Inter-process communication (IPC)
  • Networking
  • User
slide-8
SLIDE 8

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

Namespace kernel configuration

  • General setup → Namespaces support
  • CONFIG_NAMESPACES, CONFIG_UTS_NS,

CONFIG_NET_NS, ...

  • As of 3.8, CONFIG_USER_NS depends on network filesystems

being turned off

slide-9
SLIDE 9

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

Creating namespaces

  • clone(), unshare(), setns() system calls
  • CLONE_NEWNS, CLONE_NEWUTS, CLONE_NEWPID,

CLONE_NEWNET, CLONE_NEWIPC, CLONE_NEWUSER

  • clone() - starts a new process in new namespace(s)
  • unshare() - creates new namespace(s) without a new

process, adds current process to them

  • setns() - join an existing namespace
  • systemd-nspawn – useful for noodling with namespaces,

source code is useful too

slide-10
SLIDE 10

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

PID and mount namespaces

1 37 238 249 444 445 999 ... 1 ... 12

ps ax init

/srv/sid

/

PIDs PIDs

/proc /tmp

Root NS

/

Child NS

slide-11
SLIDE 11

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

Using namespaces

  • /proc/PID/ns/{mnt pid uts ipc net user}
  • References the namespaces
  • Can be passed to setns()
slide-12
SLIDE 12

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

Mount namespace propagation

  • Shared, slave, and private mounts

# mount --make-shared / # mount --make-private /

  • Recursive variants

# mount --make-rslave /

  • Where do further mounts appear?
  • Shared shares both directions, slave just in that direction,

private doesn't share at all

slide-13
SLIDE 13

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

Examples

  • Set up mount namespace to run update checker, allow RO

access to libraries it needs and have private /tmp

  • Run multiple instances of web application in separate PID

namespaces – can't see others

  • Combine mount and PID namespace to isolate web application

(CMS in PHP, say) further

  • Set up a network namespace to run httpd worker process – no

access to the network if process is compromised

  • Separate network namespaces for local network access vs.

internet access – internet-based compromise can't access LAN

  • ...
slide-14
SLIDE 14

February 21, 2013 Embedded Linux Conference 2013 Jake Edge, LWN.net

Further reading

  • Namespaces in operation series

– http://lwn.net/Articles/531114/

  • Slides available on ELC site and at

– http://lwn.net/talks/elc2013/