[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [patch][BusyBox] Domain assignment support for
From: Yuichi Nakamura <ynakam () hitachisoft ! jp>
Date: 2007-08-20 23:34:43
Message-ID: 20070821082833.7ABE.YNAKAM () hitachisoft ! jp
[Download RAW message or body]
On Fri, 10 Aug 2007 08:34:21 +0200
Natanael Copa wrote:
> On Wed, 2007-08-08 at 13:38 +0900, himainu-ynakam@miomio.jp wrote:
> > Hello.
> >
> > We would like to suggest Secure OSes(such as SELinux/AppArmor/LIDS) domain
> > assignment support for BusyBox. This work is done by Hiroshi Shinji.
>
> ...
>
> > For example, in the case of SELinux, /sbin/syslogd is assigned syslogd_t
> > domain at the execution time of /sbin/syslogd. syslogd_t are allowed to
> > read syslogd.conf, write log files, etc.
> >
> > However, current BusyBox does not suitable for assigning domains.
> > Because BusyBox is a single file that is called through a lot of links.
> >
> > Secure OS treats "/sbin/syslogd" and "/sbin/httpd" as "/bin/busybox".
> > So, /sbin/syslogd and /sbin/httpd run as the same domain.
>
> This is a problem for start-stop-daemon too. IT would solve issues with
> SUID bit programs too (like passwd, su ...)
>
> > 2. Our solution
> > Shinji came up with one idea. He thought "script wrappper" like below.
>
> while I agree it would be nice to have every applet as a separate
> executable, I'm not sure I like the idea of executing shell for every
> command. It *feels* hackish.
Yes, as you say, it may be tricky,
but there are other tricky things like treatment of global value
in busybox I think.
> > Assigning domain is critical to secure OSes.
> > We want way to assign to domains to busybox applets.
> > Please review this patch and consider merging.
>
> The patch is the shortest way to accomplish this. I would believe the
> "correct" way would be to compile every applet as a standalone, linked
> to a libbb.so. I think its even mentioned in the TODO.
Standalone executable is bigger,
even simple "hello world" executable consumes 2940 byte.
This wrapper uses only 15 byte for one applet.
> Natanael Copa
Regards,
--
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
Japan SELinux Users Group(JSELUG): http://www.selinux.gr.jp/
SELinux Policy Editor: http://seedit.sourceforge.net/
_______________________________________________
busybox mailing list
busybox@busybox.net
http://busybox.net/cgi-bin/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic