From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MauYI-0000r3-Bd for garchives@archives.gentoo.org; Tue, 11 Aug 2009 16:50:22 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AEAB2E0263; Tue, 11 Aug 2009 16:50:20 +0000 (UTC) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by pigeon.gentoo.org (Postfix) with ESMTP id 67370E0263 for ; Tue, 11 Aug 2009 16:50:20 +0000 (UTC) Received: by bwz27 with SMTP id 27so3177464bwz.34 for ; Tue, 11 Aug 2009 09:50:19 -0700 (PDT) Received: by 10.103.84.15 with SMTP id m15mr1231mul.105.1250009419297; Tue, 11 Aug 2009 09:50:19 -0700 (PDT) Received: from mpismpirikos.tolises.homeunix.org (dsl-88-218-71-103.customers.vivodi.gr [88.218.71.103]) by mx.google.com with ESMTPS id e9sm26520500muf.32.2009.08.11.09.50.18 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 11 Aug 2009 09:50:18 -0700 (PDT) Date: Tue, 11 Aug 2009 19:50:13 +0300 From: Yiannis To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] virtualization with gentoo hardened Message-ID: <20090811195013.638ebdab@mpismpirikos.tolises.homeunix.org> In-Reply-To: <4A819466.4000603@wildgooses.com> References: <20090808213543.260ad68f@mpismpirikos.tolises.homeunix.org> <4A819466.4000603@wildgooses.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: 04150c92-f92e-4296-8c21-71cafa3c2e6e X-Archives-Hash: 21b23d4ae49b351761da34d257f00309 On Tue, 11 Aug 2009 16:55:18 +0100 Ed W wrote: > Yiannis wrote: > > Hello, > > > > I am running hardened gentoo with the toolchain provided by the > > xake-toolchain overlay. I am looking for a way to use virtualization > > with my current config. I am aware of linux-vserver project which > > has grsecurity integration, but as far as I remember does not play > > well with rbac. Anyone that has a similar working config? > > > > I use hardened host (2.6.29) with vserver. Under this I run hardened > guests. All of these are old style hardened (gcc 3.4.6, not the new > gcc4 stuff. (As an aside, even uclibc+patches now seems to work ok on > gcc4.4.1 + hardened, so I think it's about time we had a push to try > and get the hardened profile to shuffle along a bit...) > > I am not currently using the RBAC features of grsec, but I don't > immediately see a reason why they wouldn't work.... I guess it's > possible they would need to be implemented in the host rather than > the guest (which would feel a bit wierd), but it should still work I > guess... > > All other hardenings seem to work as advertised and generally > speaking vserver is a nice lightweight, pseudo virtualisation which > is often good enough for your needs... It's really just a slightly > more fancy chroot system with some scripts around it and some > additional hardening (and all the associated limitations). Xen, etc > are the way you want to go if you need full isolation. However, > vserver allows you to more neatly overcommit machine resources and > has a number of other advantages > > Good luck > > Ed W Hello Ed, I used to have a box with the same setup as yours. As far as I remember I had some difficulties on applying policies on guests from host. I think I have seen an old patch on linux-vserver.org site for gradm providing this functionality but it was posted some years ago. It was abandoned and at a primitive state so I didn't bother trying it. The past two days I have been trying out lguest(with no luck yet) as an alternative to kvm, since my pc's are not vt-x capable. The reason that I prefer lguest(if it finally works) and kvm is that they are both in mainline kernel, let alone the full isolation that you mentioned. While googling a bit I read an article on ibm's site about linux containers (LXC) which is supposed to finally land on the kernel. I think that this might be worth trying as opposed to linux-vserver.