Self-assessment

Self-assessment outline

Table of contents

Metadata

Assessment StageComplete
Softwarehttps://github.com/lima-vm/lima
Security ProviderNo
LanguagesGo
SBOMgo.mod and go.sum contain the dependency information
Docurl
Security filehttps://github.com/lima-vm/.github/blob/main/SECURITY.md
Default and optional configshttps://github.com/lima-vm/lima/blob/master/templates/default.yaml

Overview

Lima launches Linux virtual machines with automatic file sharing and port forwarding (similar to WSL2).

The original goal of Lima was to promote containerd including nerdctl (contaiNERD ctl) to Mac users, but Lima can be used for non-container applications as well.

Background

A typical usage of Lima is like:

# Install
brew install lima

# Start the VM with the default template
limactl start

# Launch nerdctl (contaiNERD CTL) via Lima
lima nerdctl run --rm hello-world

Lima uses YAML files to define VM templates. See https://github.com/lima-vm/lima/tree/master/templates for the examples of the templates.

A malicious template may break host OS via host filesystem mounts. It is users’s responsibility to avoid using malicious templates.

Actors

  • limactl CLI: the CLI provides CRUD operations for VM instances. The CLI does not need the root privilege on the host OS. A template file can be specified on creating an instance as follows:
# Built-in template
limactl create template://docker

# Local path
limactl create /usr/local/share/lima/templates/fedora.yaml

# HTTPS URL (use with a caution)
limactl create https://raw.githubusercontent.com/lima-vm/lima/master/templates/alpine.yaml
  • lima CLI: an alias of limactl shell, for logging into the guest OS.

  • VM drivers: the following virtual machine drivers are supported (no root privilege is needed):

    • QEMU
    • Apple Virtualization.framework (for macOS hosts)
    • WSL2 (for Windows hosts)
  • SSH: Lima generates an SSH key-pair and configure the guest OS so that the lima CLI (alias of limactl shell) can login to the guest OS. The SSH port is bound to the localhost of the host OS.

  • Port forwarder: localhost ports of the guest OS are forwarded to the localhost of the host OS. These forwarded ports are not exposed to non-localhost by default, but this behavior is customizable.

  • (Optional) SFTP: When the filesystem mount type is configured to reverse-sshfs in a VM template, Lima launches an SFTP server process on the host and associate its stream to the SSH process so that the guest OS can mount the host filesystem. The SFTP server process is launched as a non-root user.

  • (Optional) socket_vmnet daemon: When the network type is set to lima:shared in a VM template, Lima launches a socket_vmnet daemon with sudo so as to enable enhanced networking mode, e.g., publish the VM’s IP address to the physical network.

Actions

  • limactl create: the CLI receives a template file via the argument, and populates the disk image for the instance.

  • limactl start: the CLI launches the instance using the specified VM driver, and sets up port forwarding and filesystem mounts. This action does not need the root privilege on the host. When the network mode is set to lima:shared, the CLI launches the socket_vmnet daemon with sudo. The sudoers file for this operation can be generated with the limactl sudoers command.

  • limactl sudoers: the CLI generates /etc/sudoers.d/lima file to allow running socket_vmnet. Not needed for the default configuration.

  • lima, limactl shell: the CLI launches ssh to login to the VM instance.

  • limactl stop: the CLI stops the specified VM instance.

  • limactl delete: the CLI deletes the specified VM instance.

Goals

  • No root privilege is needed for installing and running VM

  • When the root privilege is needed (i.e., socket_vmnet), the privileged operation is performed in a separate process that is confined with the sudoers file

  • No port is published to non-localhost by default

Non-goals

  • Tolerance to malicious template files is out of our goals. An instance created from a malicious template may read and write host files, depending on the host mounts specified in the template.

Self-assessment use

This self-assessment is created by the Lima team to perform an internal analysis of the project’s security. It is not intended to provide a security audit of Lima, or function as an independent assessment or attestation of Lima’s security health.

This document serves to provide Lima users with an initial understanding of Lima’s security, where to find existing security documentation, Lima plans for security, and general overview of Lima security practices, both for development of Lima as well as security of Lima.

This document provides the CNCF TAG-Security with an initial understanding of Lima to assist in a joint-assessment, necessary for projects under incubation. Taken together, this document and the joint-assessment serve as a cornerstone for if and when Lima seeks graduation and is preparing for a security audit.

Security functions and features

  • The security of Lima critically depends on VM drivers (e.g., QEMU, Virtualization.framework), SSH, SFTP, etc. Users have to make sure to install the well-maintained version of these dependencies. On macOS hosts, this can be typically accomplished by clicking the “Software Update” button of the System Preference, and by running brew upgrade.

Project compliance

N/A

Secure development practices

Security issue resolution

  • Responsible Disclosures Process: Vulnerabilities are expected to be reported via https://github.com/lima-vm/lima/security/advisories/new . Those who do not have a GitHub account may also use email to reach out to the Committers directly.

  • Incident Response: Committers triage and confirm potential vulnerability reports, and ship a fix as soon as possible. Committers may coordinate with well-known downstream projects (e.g., Rancher Desktop, Colima, and Finch) for a disclosure of a serial vulnerability.

Appendix

  • Known Issues Over Time: See https://github.com/lima-vm/lima/security/advisories .

    • GHSA-f7qw-jj9c-rpq9 (May 30, 2023): A virtual machine instance with a malicious disk image could read a single file on the host filesystem, even when no filesystem is mounted from the host. Fixed in Lima v0.16.0, by prohibiting using a backing file path in the VM base image.
  • CII Best Practices: See https://www.bestpractices.dev/en/projects/6505 . Passing.

  • Case Studies: See Rancher Desktop (SUSE), Colima, Finch (AWS) below.

  • Related Projects / Vendors:

    • Rancher Desktop : Kubernetes and container management to the desktop
    • Colima : Docker (and Kubernetes) on macOS with minimal setup
    • Finch : Finch is a command line client for local container development
    • Podman Desktop : Podman Desktop GUI has a plug-in for Lima virtual machines
    • lima-xbar-plugin : xbar plugin to start/stop VMs from the menu bar and see their running status.
    • lima-gui : Qt GUI for Lima