[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: [patch][resend] Domain assignment support for SELinux/AppArmor/LIDS
From: Yuichi Nakamura <ynakam () hitachisoft ! jp>
Date: 2007-08-20 23:38:47
Message-ID: 20070821083522.7AC0.YNAKAM () hitachisoft ! jp
[Download RAW message or body]
Hello.
Denis said please resend patches,
So we would like to send this mail again.
We would like to suggest Secure OSes(such as SELinux/AppArmor/LIDS) domain
assignment support for BusyBox. This work is done by Hiroshi Shinji.
1. Background
Secure OSes such as SELinux, AppArmor and LIDS can assign domain to processes.
"Domain" means set of access rights.
Domain is assinged to processes at the time of "exec" system call.
# This is a little similar to "suid" feature of Linux.
For example, in the case of SELinux, /sbin/syslogd is assigned syslogd_t
domain at the execution time of /sbin/syslogd. syslogd_t are allowed to
read syslogd.conf, write log files, etc.
However, current BusyBox does not suitable for assigning domains.
Because BusyBox is a single file that is called through a lot of links.
Secure OS treats "/sbin/syslogd" and "/sbin/httpd" as "/bin/busybox".
So, /sbin/syslogd and /sbin/httpd run as the same domain.
Known solutions to this problem is preparing wrapper program that calls
applet.
For example, /sbin/syslogd is a small C program that calls
"/bin/busybox syslogd". Then, at the execution of /sbin/syslogd,
syslogd_t domain is assigned and "/bin/busybox syslogd" is called
and inherits assinged domain(syslogd_t).
However, such wrapper consumes storage(more than 1k byte per wrapper).
For detailed description about this problem,
Yusuke Sato wrote documentation:
http://www.selinux.gr.jp/LIDS-JP/LIDS_en/document/general/web_lids_busybox/main.html
2. Our solution
Shinji came up with one idea. He thought "script wrappper" like below.
If you enabled "INSTALL_APPLET_SCRIPT_WRAPPERS", wrappers like below are
installed.
The contents of "/sbin/syslogd" is following.
#!/bin/busybox
It is only 15 byte.
When /sbin/syslogd is executed, "/bin/busybox /sbin/syslogd <other arguments>" is called.
To achive above, we had to modify applets.c
- applet_name = argv[0];
- run_applet_and_exit(argv[0], argv);
+ applet_name = bb_get_last_path_component(argv[0]);
+ run_applet_and_exit(applet_name, argv);
We tried the patch for SELinux and AppArmor.
And domains were assigned sucessfully!
3. Limitation
Programs that are used as interpreter can not be installed as script wrapper.
It is due to limitation of exec(interpreter can not be called twice).
For example, /bin/sh can not be installed as script wrapper.
If /bin/sh is installed as script wrapper, shell scripts do not run.
In interpreting #!/bin/sh
-> /bin/sh is #!/bin/busybox,
-> #! is called twice
-> exec system call fails(limitation of exec system call).
In our patch, sh is installed as symlink or hard link by default
(you can install it as script wrapper if you still need).
Assigning domain is critical to secure OSes.
We want way to assign to domains to busybox applets.
Please review this patch and consider merging.
Regards,
--
Yuichi Nakamura
Japan SELinux Users Group(JSELUG): http://www.selinux.gr.jp/
["domain_assign.patch" (application/octet-stream)]
Index: Makefile.custom
===================================================================
--- Makefile.custom (revision 19417)
+++ Makefile.custom (working copy)
@@ -12,6 +12,17 @@
ifeq ($(CONFIG_INSTALL_APPLET_HARDLINKS),y)
INSTALL_OPTS:= --hardlinks
endif
+ifeq ($(CONFIG_INSTALL_APPLET_SCRIPT_WRAPPERS),y)
+ifeq ($(CONFIG_INSTALL_SH_APPLET_SYMLINK),y)
+INSTALL_OPTS:= --sw-sh-sym
+endif
+ifeq ($(CONFIG_INSTALL_SH_APPLET_HARDLINK),y)
+INSTALL_OPTS:= --sw-sh-hard
+endif
+ifeq ($(CONFIG_INSTALL_SH_APPLET_SCRIPT_WRAPPER),y)
+INSTALL_OPTS:= --scriptwrapper
+endif
+endif
install: $(srctree)/applets/install.sh busybox busybox.links
$(Q)DO_INSTALL_LIBS="$(strip $(LIBBUSYBOX_SONAME) $(DO_INSTALL_LIBS))" \
$(SHELL) $< $(CONFIG_PREFIX) $(INSTALL_OPTS)
Index: applets/install.sh
===================================================================
--- applets/install.sh (revision 19417)
+++ applets/install.sh (working copy)
@@ -5,19 +5,23 @@
prefix=${1}
if [ -z "$prefix" ]; then
- echo "usage: applets/install.sh DESTINATION [--symlinks/--hardlinks]"
+ echo "usage: applets/install.sh DESTINATION [--symlinks/--hardlinks/--scriptwrapper]"
exit 1;
fi
h=`sort busybox.links | uniq`
+scriptwrapper="n"
cleanup="0"
noclobber="0"
case "$2" in
- --hardlinks) linkopts="-f";;
- --symlinks) linkopts="-fs";;
- --cleanup) cleanup="1";;
- --noclobber) noclobber="1";;
- "") h="";;
- *) echo "Unknown install option: $2"; exit 1;;
+ --hardlinks) linkopts="-f";;
+ --symlinks) linkopts="-fs";;
+ --scriptwrapper) scriptwrapper="y";swrapall="y";;
+ --sw-sh-hard) scriptwrapper="y";linkopts="-f";;
+ --sw-sh-sym) scriptwrapper="y";linkopts="-fs";;
+ --cleanup) cleanup="1";;
+ --noclobber) noclobber="1";;
+ "") h="";;
+ *) echo "Unknown install option: $2"; exit 1;;
esac
if [ -n "$DO_INSTALL_LIBS" ] && [ "$DO_INSTALL_LIBS" != "n" ]; then
@@ -52,6 +56,7 @@
cd "$pd"
done
`
+ exit 0
fi
rm -f $prefix/bin/busybox || exit 1
@@ -61,34 +66,45 @@
for i in $h; do
appdir=`dirname $i`
mkdir -p $prefix/$appdir || exit 1
- if [ "$2" = "--hardlinks" ]; then
- bb_path="$prefix/bin/busybox"
+ if [ "$scriptwrapper" = "y" ]; then
+ if [ "$swrapall" != "y" ] && [ "$i" = "/bin/sh" ]; then
+ ln $linkopts busybox $prefix$i || exit 1
+ else
+ rm -f $prefix$i
+ echo "#!/bin/busybox" > $prefix$i
+ chmod +x $prefix/$i
+ fi
+ echo " $prefix$i"
else
- case "$appdir" in
- /)
- bb_path="bin/busybox"
- ;;
- /bin)
- bb_path="busybox"
- ;;
- /sbin)
- bb_path="../bin/busybox"
- ;;
- /usr/bin|/usr/sbin)
- bb_path="../../bin/busybox"
- ;;
- *)
- echo "Unknown installation directory: $appdir"
- exit 1
- ;;
- esac
+ if [ "$2" = "--hardlinks" ]; then
+ bb_path="$prefix/bin/busybox"
+ else
+ case "$appdir" in
+ /)
+ bb_path="bin/busybox"
+ ;;
+ /bin)
+ bb_path="busybox"
+ ;;
+ /sbin)
+ bb_path="../bin/busybox"
+ ;;
+ /usr/bin|/usr/sbin)
+ bb_path="../../bin/busybox"
+ ;;
+ *)
+ echo "Unknown installation directory: $appdir"
+ exit 1
+ ;;
+ esac
+ fi
+ if [ "$noclobber" = "0" ] || [ ! -e "$prefix$i" ]; then
+ echo " $prefix$i -> $bb_path"
+ ln $linkopts $bb_path $prefix$i || exit 1
+ else
+ echo " $prefix$i already exists"
+ fi
fi
- if [ "$noclobber" = "0" ] || [ ! -e "$prefix$i" ]; then
- echo " $prefix$i -> $bb_path"
- ln $linkopts $bb_path $prefix$i || exit 1
- else
- echo " $prefix$i already exists"
- fi
done
exit 0
Index: applets/applets.c
===================================================================
--- applets/applets.c (revision 19417)
+++ applets/applets.c (working copy)
@@ -598,8 +598,8 @@
argv++;
}
/* we want "<argv[0]>: applet not found", not "busybox: ..." */
- applet_name = argv[0];
- run_applet_and_exit(argv[0], argv);
+ applet_name = bb_get_last_path_component(argv[0]);
+ run_applet_and_exit(applet_name, argv);
bb_error_msg_and_die("applet not found");
}
Index: Config.in
===================================================================
--- Config.in (revision 19417)
+++ Config.in (working copy)
@@ -465,6 +465,11 @@
Install applets as hard-links to the busybox binary. This might count
on a filesystem with few inodes.
+config INSTALL_APPLET_SCRIPT_WRAPPERS
+ bool "as script wrappers"
+ help
+ Install applets as script wrappers that call the busybox binary.
+
config INSTALL_APPLET_DONT
bool "not installed"
depends on FEATURE_INSTALLER || FEATURE_SH_STANDALONE || FEATURE_PREFER_APPLETS
@@ -474,6 +479,30 @@
endchoice
+choice
+ prompt "/bin/sh applet link"
+ default INSTALL_SH_APPLET_SYMLINK
+ depends on INSTALL_APPLET_SCRIPT_WRAPPERS
+ help
+ Choose how you install /bin/sh applet link.
+
+config INSTALL_SH_APPLET_SYMLINK
+ bool "as soft-link"
+ help
+ Install /bin/sh applet as soft-link to the busybox binary.
+
+config INSTALL_SH_APPLET_HARDLINK
+ bool "as hard-link"
+ help
+ Install /bin/sh applet as hard-link to the busybox binary.
+
+config INSTALL_SH_APPLET_SCRIPT_WRAPPER
+ bool "as script wrapper"
+ help
+ Install /bin/sh applet as script wrapper that call the busybox binary.
+
+endchoice
+
config PREFIX
string "BusyBox installation prefix"
default "./_install"
_______________________________________________
busybox mailing list
busybox@busybox.net
http://busybox.net/cgi-bin/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic