This project aims to test sVirt protection on VM escape. We use socket to simulate VM escape instead of reproducing really VM escape. Test env: libvirt 5.5.0, qemu 4.1.0, virt-manager 2.2.1, selinux-policy 3.14.2.
- Copy this project to /root dir of both host and vm.
- Make sure network connection between vm and host is available and PORT 28080 is open.
- Change /root/test-svirt/vm.c SERVER_IP to host IP.
- Change host SElinux to Permissive mode.
- Login to host shell, exec 'bash make.sh' in /root/test-svirt, then exec './server_utils'.
- Login to vm shell, exec 'bash make.sh' in /root/test-svirt, then exec './vm_escape'.
- VM 'escape' shoule be success, following output shows on vm shell:
Set selinux context success!
I am an escaped process! My selinux label is: system_u:system_r:svirt_t:s0:c97,c105
Now I want to attack host file!
Attack host succeed!
Now I want to attack VM file!
Attack VM succeed!
Now I want to execute shell command: 'getenforce'!
Permissive
Exec getenforce success!
Exec attack success!
---------------------------------------------------------------------- Login to host shell, exec 'setenforce 1', enable sVirt protection.
- Login to vm shell, exec './vm_escape', the escape would be stopped with follow output:
Set selinux context success!
Exec attack failed!
Stop vm escape successfully!
---------------------------------------------------------------------