VirtualBox/setuid binaries

Michael Thayer michael.thayer at oracle.com
Thu Nov 15 16:25:29 UTC 2018 

15.11.18 16:29, Simon McVittie wrote:
> On Thu, 15 Nov 2018 at 15:32:14 +0100, Michael Thayer wrote:
>> The main reason that we provide
>> our own hypervisor in a kernel module.
> 
> Presumably that needs to come from the host system rather than from a
> Flatpak?
> 
> If so, you could potentially have part of VirtualBox exist outside the
> container/sandbox (the part that communicates with the kernel, etc.)
> and let the part of VirtualBox inside the container/sandbox interact
> with it (possibly communicating via D-Bus or AF_UNIX). That would mean
> only a small part of VirtualBox needs to be highly privileged.

Yes, that might be a solution - to provide VirtualBox as a Flatpak, but
have a set-up script which makes it available outside, possibly with a
forked version of bubblewrap which sets up the runtime but does not drop
privileges - a slightly more advanced version of what we talked about at
FOSDEM.  More complex things would be possible of course, but only if
people on the team find time to do them.

>> As an added security layer we only let root processes open
>> the hypervisor device, rather than giving a group access to it.  Our
>> main virtual machine process starts setuid root, opens the device and
>> possibly (would have to check) does a couple of other things like
>> opening a raw socket for ICMP, then drops privileges.
> 
> What added security does this provide for your users? If your main virtual
> machine process starts up as root, drops privileges, and accepts arbitrary
> configuration/UI actions from ordinary users, does that prevent ordinary
> users from manipulating the open hypervisor device in whatever dangerous
> way they wanted to?
It provides more security than giving a group access to the device and
letting any process owned by the user open it.  Of course, if the user
(or someone acting as them) can find a way to exploit VirtualBox then
they have access, but it is an additional layer, and of course we do our
best to prevent that.

Regards and thanks
Michael
-- 
Michael Thayer | VirtualBox engineer
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | D-71384 Weinstadt

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstraße 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Nederland, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 2468 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20181115/004369db/attachment.key>

More information about the Flatpak mailing list