Extreme Zone Minimisation, SE Linux and More...

A couple of days ago, an internal email pointed me here, the document being a thesis by Eriksson and Palmroos, two students supervised by our very own Christoph Schuba.

The thesis comprises three main sections, all of which are interesting...

  • There is a useful discussion on the nature of Solaris 10 Zones, for those who don't understand them already, and a very useful introduction to SE Linux's type enforcement mechanism and its relative strengths and weaknesses.
  • Our intrepid researchers then investigate the possibilities of minimisation within non-global zones; they find that a zone is initially created using the LiveUpgrade mechanism (which I didn't know), that a standard zone install encompasses the packages installed in the global zone, rather than being able to minimise on a per-zone basis (which I admit, I hadn't spotted), and investigate both bespoke approaches and, most interestingly, the BrandZ mechanism as potential means of installing per-zone minimised environments. This is excellent forward thinking, and I wouldn't be surprised to see this approach followed for many more single-app zones once BrandZ integrates into the "production release" codebase. I admit I consider their more extreme hypotheses and tests of abandoning SMF and reverse-engineering dependencies to enable minimisation on a per-file, rather than per-package, basis as perhaps "going a bit far" - while the "Reactive Minimisation" mechanism that Bart, Glenn and I came up with and presented at RSA 2005 could also potentially minimise on a per-file basis, it at least left the underlying package structure in place so that patches could be readily applied.
  • Finally, they set up a new daemon in SE Linux, give it privileges, and then use it to try to break the system.
Their conclusions are interesting, especially regarding the unfortunate issue that SE Linux's absence of namespace segregation presents to folk who have an app they need to polyinstantiate.

I look forward to seeing more from these two guys in the future. Meantime, go grab the thesis and read...

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

davew

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today