User-mode Linux for security: questions

User-mode Linux looks like a great way to create sandboxes. In practice though it's kind of hard to set up. Thus my questions...

1. Is it possible to set the UML root directory to be a directory on the host root filesystem, instead of the whole host root or some other mounted filesystem? As with a chroot jail or LXC?

2. How would I set up packet forwarding so that the UML session doesn't need an external IP? This would be done through iptables, I guess? Anything special I'd have to do with ufw?

3. Using some Linux distros as UML guest filesystems, I get error messages to the effect that no console is available, e.g.

Code:

Failed to open console 1, err = -2
 getmaster - no usable host pty devices

and obviously no usable console. Why is this and how can I prevent it?

Okay, got some answers at least...

1. Unfortunately this appears to be impossible.

3. It turns out that using the host's init system for UML is stupid, and will cause all sorts of problems. When running UML on the host filesystem you're supposed to use e.g. /bin/bash as init.

Alas, I'm still looking for a way to handle (2). What I'd ideally like is a way to have UML use NAT forwarding like Virtualbox. This is really the most important part - without it, building up a UML system image is rather difficult!

[Hungry Man]

Mind giving some background? I have no idea what this topic is about lol

User-mode Linux (UML) is like super budget virtualization. It uses a specially compiled Linux kernel that is also an ELF executable, and runs in user space as a limited user... And other stuff runs on top of it. This can be done on an unpatched host kernel. So you can do e.g.

Code:

$ ./uml-kernel rootfstype=hostfs ram=256M init=/bin/bash

and get a kernel running bash on top of your normal kernel; using the host filesystem as root, but with your user's permissions. Configure the network with a tun device, and you can run graphical applications in the UML system and display them on the host system's X server (or in an Xephyr/XNest server).

That doesn't provide any filesystem isolation though of course; for that you want to have a mounted filesystem. For instance you could have a 4 GB filesystem image called "rootfs" as your root, and do

Code:

$ ./uml-kernel udba=./rootfs ram=256M

You now have a complete Linux system running in userspace. Again, you can run graphical apps from it if you set up networking.

Setting up networking turns out to be the hard part, but I think I'm (finally) getting the hang of it. From what I can tell, you need a tun/tap device (which you can set up with ifconfig and openvpn), and you need to invoke UML like so

Code:

./uml-kernel (blah blah blah) eth0=tuntap,,,$SOME_IP

the three commas being filler where you'd normally put a MAC address and other stuff you don't actually need to specify, and $SOME_IP being the local IP of the UML guest.

At least, that's how I think it's supposed to work. I'll have to experiment with it a bit more...

Anyway, UML is (as I understand it) a lower-tech alternative to virtualizaton and/or chroot jails, that allows you to have an isolated kernel without needing a patched host OS.

[Hungry Man]

I see. I feel like I'd rather just set up a chroot with grsecurity =p

grSecurity is grotesque overkill. Or is that your point?

[Pedro]

Quote:

Originally Posted by Gullible Jones

User-mode Linux (UML) is like super budget virtualization. It uses a specially compiled Linux kernel that is also an ELF executable, and runs in user space as a limited user... And other stuff runs on top of it. This can be done on an unpatched host kernel. So you can do e.g.

Thank you for that, now i get it!

While i never researched it, i keep hearing about UML, but i never got to understand what it was all about.

Yeah... I'm not sure but I believe UML has been mostly obsoleted in industry by virtualization technologies like KVM and Xen (which perform better). But working on an unpatched host OS is a big advantage for home users. And you can probably do further stuff if you want, like putting AppArmor restrictions on the UML kernel.

Alas, networking on UML is not easy to configure when you use DHCP.

[Hungry Man]

Quote:

Originally Posted by Gullible Jones

grSecurity is grotesque overkill. Or is that your point?

If you're patching the kernel already you may as well use what works.

No need for anything too crazy with it - you could simply use hardened chroots.