init: optionally load the system SELinux policy #400
Conversation
WavyEbuilder
force-pushed
the
master
branch
2 times, most recently
from
5952f94 to
35df218
Compare
|
Current TODO (just to note I am aware of it) is to link against libselinux in the Makefile. |
|
I've added an --enable--selinux option to the configure script, however I am not really sure how best to go about linking against libselinux as it is an optional dependency. Any advice in this regard? |
|
Think I've got that sorted by passing a linker flag. |
|
I will review properly when I get a chance. I don't know a heap about SELinux so bare with me. A couple of things I will point out now though:
|
|
Hey! Appreciate the fast response.
A lot of the other init systems mentioned /dev/console not being available at that point in time (which is a reasonable assumption as if the policy fails to load there is a good chance SELinux would block access to /dev/console). I had a quite glance through dinit-log.cc and it appears like it just uses stdout - would this be correct?
I'll make sure to change that to use
Generally the command-line option is provided to the kernel cmdline (which the
I'll make sure to do that |
|
Also, would you like me to commit any changes as separate commits until you are happy with it so you can see the diffs between changes a bit easier, or would rebasing be preferred? |
|
Alright took a look at this a bit more thoroughly and I have a few design questions to raise quickly, notably regarding
static int initialize_security(
bool *loaded_policy,
dual_timestamp *security_start_timestamp,
dual_timestamp *security_finish_timestamp,
const char **ret_error_message);Then we could just call our implementation of a similar function once in dinit_main (ideally as early as possible, being security frameworks it makes sense to attempt to load them as early as possible). Now given that we have C++ to hand here, I was wondering how to go about propagating errors back. Being C++11, we don't have anything like
I think that'd be a reasonable way of structuring things, but being my first PR to dinit and my first real work on a C++ project below 14, your input would be greatly appreciated. Thanks! |
Log any relevant message (via
If we're just talking about adding a single method, I don't see any advantage in doing that now, as it can easily be done if and when support for other security frameworks are added. Let's just keep it simple.
Ok, that sounds fine. |
Actually, thinking about this more, there may still be cases where SELinux is enabled but the loading of the policy should not be performed. One example is given by the Systemd code here. Also, can you clarify what this might mean? I want to know what file descriptors SELinux would keep open and in what circumstances. Are you doing this work for a distribution or is it a more personal endeavour? |
|
(Finally: make sure you have read CONTRIBUTING and CODE-STYLE documents, if you haven't already. Thanks!). |
Got it, thanks :)
Yup, makes sense, should be fairly easy with to deal in the future. Will do!
That's a good example. For that specific initrd case, I had a look at systemd's /* If /etc/initrd-release exists, we're in an initrd.
* This can be overridden by setting SYSTEMD_IN_INITRD=0|1.
*/ Would you like to do the same with an override here? (maybe something more like DINIT_IN_INITRD) If you'd still like to add a flag override of some sorts to tell dinit to not load the selinux policy, I feel like that should be an opt in sort of thing, because while not loading the selinux policy won't load any of the user's policy, it doesn't mean selinux won't be loaded. In that case, everything runs in the
Afaik this is generally in the case of when it needs to audit something related to that fd so it keeps it open for a bit? I remember seeing something similar in the past, but I'm not exactly too happy with that answer as I can't answer it with 100% confidence, so if that's okay I'll do a bit of digging in the libselinux docs and get back to you on that.
I'm currently using Gentoo and dinit on basically all of my systems (which doesn't have upstream Gentoo support currently), however I am hoping to try improving the support (and maybe possibly getting official support) for dinit for both Adelie and Gentoo (nothing offical, just me on my own there, though I have spoken to some developers of the respective distros about that, but absoloutly nothing really offical yet). This specific piece of work was started when I hit a few weird bugs with my SELinux policy while dealing with a few ebuilds for dinit related to SELinux (policy for it), so in the future as Gentoo has offical SELinux support it might be useful, but for now really just take it as a personal endeavour, I'm not affiliated with any distro officially :)
Had a read over them already, but I'll make sure to reread CODE-STYLE |
|
Did a bit of digging and found this commit systemd/systemd@a3dff21 which seems to explain it quite nicely. |
|
Hmm reading the Still seems fine to transition with |
|
I think it'll be best to consider how SELinux aware we want dinit to be at this stage. After reading some more man pages and systemd code, it seems like systemd transitioning itself to the new context is an okay option as they already make heavy use of selinux throughout (i.e. in transient units which have an SELinuxContext= option). However, if our only goal (at least in the short-term) is to load the policy, then I think it makes sense to stick with the If we want to be a little bit more SELinux aware, (i.e. if it is not unforeseeable to make use of libselinux more throughout dinit), then I would probably start off by creating an selinux utils header of some point as there is quite a bit of setup, etc that'll need to be done. My personal opinion would be (for the sake of simplicity) to stick with the However, if you'd still like to continue with setting our own context, I can go down that route. It'd require a bit more design though, so it might be worth working on getting some helper functions stubbed out firstly. |
That's fine but it will need a commitment from you that you will support it going forward, or otherwise make it clear that it's experimental/unsupported in relevant documentation. (Incidentally I think you missed updating the build instructions - that's something that would need to be added). To be honest I'm not sure I'm following your reasoning in a few ways:
I don't really understand why that makes a difference. What is the reason why this would not be a good option for dinit as well? (I get that Dinit doesn't provide specific support for SELinux features when executing service processes, but why does that make a difference as to the mechanics of how the policy is loaded?) I'm fine with the policy loading happening very early in dinit's execution. But:
If we are going to call I know you had a few other questions for me and I can go back to those, but I really need some clarification on these points. I don't want to be discouraging but it seems like there are a few details you're not really sure of yourself, and that gives me some pause. I'm hesitant to incorporate something where I really don't understand why things have been done the way they have. If there's open questions that you need to sort out, please feel free to take whatever time you need to do that, but let's get them sorted first and talk details of the code then. |
|
Hey,
I can commit to that, but would also be happy mentioning it is experimental.
I think I phrased that badly earlier, I'll rephrase it a little here now. Systemd makes use of SELinux a lot inside it being quite SELinux aware so it already has a lot of boilerplate that will be used elsewhere. The reason why transitioning to the new context is a little more complex is because it requires a bit more setup, we are in a privileged domain at that point and we are sort of entrusting ourselves to do it right, so it'd require a fair amount more code I would think.
An initramfs can work fine for this (and often is!) or some simpler pid 1 that's only job is to launch dinit properly with the right context, but (at least to me) that feels a little unnecessary.
That's fair, I did phrase it quite badly above. My main reasoning was based off the
That makes sense. For now I'll just presume we're going down the route of transitioning ourselves to a new context and I'll push in a bit with an example of that and let you compare.
|
This, I guess, is what I don't understand. I can see that opening file descriptors before loading the policy might give access to things that the policy will then disallow but, if we are loading the policy quite early and we have opened file descriptors then in fact we do need those file descriptors. If the policy disallowed that access then that would be a broken policy anyway. Dinit doesn't go around just casually opening files. Likewise any other resource it has accessed, it probably needs. And anyway, as far as I can tell, applying the security label will enforce access against file descriptors that were opened previously anyway. Eg from https://www.systutorials.com/docs/linux/man/3-setcon_raw/ -
Given those are taken care of (and ptrace shouldn't be an issue anyway), and given that we'd be loading the policy early (before doing just about anything anyway), what would be the concerns in regards to "entrusting ourselves to do it right?" I'm after concrete examples.
To me it feels unnecessary to me add specific support (including a library dependency) for something in Dinit which can be handled just as well from outside, and re-executing our own process right after we start honestly just feels like a hack. At the moment my position on that is a "no", I would need to be given a good, concrete reason for why that should change. Applying the security context within the already-running process without re-
A little bit more code isn't an issue, if we have already gone as far as adding a dependency and providing support for SELinux then we may as well do it properly. My bad for the "keep it simple" comment which caused confusion - I meant, keep it restricted to the specific functionality that you are wanting to implement; we don't need abstraction layers for handling other security frameworks, etc. But before you said:
Is it a bit, or is it a fair amount? (or am I conflating two different things?) |
|
As for A good example is this. Imagine we start out with kernel context (what dinit starts out with on my system before the policy is loaded). We have some fd's opened, and the kernel context has permission to use them. Now we load the policy, transition ourselves, and the loaded policy executes us as init_t. In the Gentoo refpolicy, then that kernel context becomes kernel_t. Now SELinux will prevent us from using those open file descriptors.
Oh I see what you meant by keeping it simple now :) I was a bit confused with what you were after, but it shouldn't really require any sweeping changes for the codebase, it should all be confined to that function we'll make to load the policy, which will be the thing that's a bit longer. That's all good then, I can make the transition work. I'll get to work on that, and if there are any concerns please let me know. Thanks for all the time you've given this so far, appreciated a lot. |
WavyEbuilder
force-pushed
the
master
branch
2 times, most recently
from
5ddfc4d to
d5295d9
Compare
|
Alright I think I've got this working as desired now. I've just made a function If anything is unclear/you feel any comments are needed, please let me know, and I'll make sure to add them. |
|
(just updated an error message as i'm not longer using |
|
Just fixed another silly mistake, forgot to chance |
It's misleading to say that a policy choice is a misconfiguration, the choice to prevent dinit from transitioning from its inital domain is a choice made the local system administrator. Let's clarify our comments to specify that this isn't an error, but a warning, as this is still a unsual policy choice.
|
Hi Davin, Just thought I'd give a small update as it's been quite a while now. The current mechanism so far seems robust, however:
I'll be less active over Christmas so it'll be a few weeks before I push anything more, but I'll clean up the merge conflicts as well next. Just wanted to note that I haven't abandoned the PR. Thanks |
|
Hi, that's fine, but I have one major concern after just having looked over the current changes. There is some code that is currently part of the PR: Compared to some code that you pasted earlier, which turns out to be from Systemd: Obviously they are not completely identical, but just as obviously, at least the comment was taken from Systemd and then modified slightly for this PR. You cannot do that. All code and comments in the PR should be your own work (and if any isn't, this absolutely needs to be flagged when you raise the PR). This is true not just for Dinit but any project where you open a PR. The Systemd license is not compatible with the Dinit license, and we do not have the right to relicense code that is derived from Systemd code. I know this is only a small piece of code (assuming there is not more that is copied) but this is a major issue. This could cause massive headaches down the line if a Systemd developer discovered that code, and realised where it originated from. They might insist that the code be removed, or in the worst case I could end up in some legal entanglement. You will need to re-do any code that you copied from Systemd or anywhere else. I'm afraid you will need to find your own wording for the comments. It is honestly better to not even look at the Systemd code. And since this has come up, I'm going to have to get you to confirm again once this is ready whether the PR is your own work. |
|
Thanks for the heads up - I didn't think that'd be copyrightable/was fairly trivial, got it now and noted for the future. I gave a cursory glance over at the changes so far, everything outside of https://github.com/davmac314/dinit/pull/400/files#diff-478d55d4071495e39c6c94175bef40d012ddcbcd6c35fb57766263e2cf690bfdR493-R495 https://github.com/davmac314/dinit/pull/400/files#diff-478d55d4071495e39c6c94175bef40d012ddcbcd6c35fb57766263e2cf690bfdR514-R518 https://github.com/davmac314/dinit/pull/400/files#diff-478d55d4071495e39c6c94175bef40d012ddcbcd6c35fb57766263e2cf690bfdR594-R601 Everything else there should be good as far as I can tell, I'll make sure to give it a look through again later.
I understand, all good.
I'll make sure to do that. Appears to just be that snippet
Noted for anything else I write.
All good. So far I think everything else looks fine, I'll recheck again later as well. |
|
Ok, thanks, I appreciate you taking this seriously.
While it is only a small piece of code, that doesn't mean it's not copyrightable. I'm not a lawyer so I don't claim to know for sure whether copyright would apply to the comment but I suspect it would (and I don't want to take the risk anyway). But also, if any code is based off someone else's work even in a small way, that should always be acknowledged (eg in a comment) - regardless of copyright, it's the right thing to do. In this case I'd rather simply not have either issue, i.e. have the code written from scratch. |
Change up the wording to avoid ethical and licensing headache with systemd.
|
Hi Davin, Could I ask you to review the latest commit? I'm not really familiar with the ins and outs of copyright, and I'm unsure as to whether or not that commit addresses the issue. From your previous comment:
I have reworded the comment (let me know if that isn't reworded suitably), but I don't think the actual check made in this commit e06e054#diff-478d55d4071495e39c6c94175bef40d012ddcbcd6c35fb57766263e2cf690bfdR519 (the code, not the comment) is copyrightable as it is simply logic and not really related to systemd code at all. For clarity, I'm referring to Thanks |
|
I've decided it might just be best to do a cleanroom rewrite of that comment instead, so I did so in a blank text editor. For full transparency, it's based off the wording of the This is located in the source of libselinux here: https://github.com/SELinuxProject/selinux/blob/main/libselinux/man/man3/getcon.3#L147-L150 Looking at the license of libselinux: https://github.com/SELinuxProject/selinux/blob/main/libselinux/LICENSE It appears to be public domain software, which as far as I can tell means it should be okay to quote. I deemed that a comment giving acknowledgement to the NSA or the SELinux Project was unnecessary for this, as it is the manpage of the function I'm calling. However, let me know if you'd like me to add one, I'd be more than happy to do so |
|
I think you need to use your judgement (taking in to account what I've already said). These things aren't always black and white and I don't really want to be pulled in to make a judgement on every thing that comes up. Please get the PR to the state where you are satisfied with it and ask for review only at that stage (remember to self-review first). Quick couple of points now since I have been drawn in to look at it:
Once again, please complete the PR before asking for review. |
|
Btw:
Quoting would certainly be fine (even verbatim) and in that case then it is absolutely a good idea to say where the quote comes from. What I said before was:
That does not say that necessarily "you must acknowledge the specific authors of the work", but rather "you must acknowledge that the code is based off someone else's work". Something like "as stated in the man page for ..." would do that. I think if you are quoting info from a man page then acknowledging that is not only a good thing to do, it is genuinely useful. |
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
|
Thanks for all your clarifications, I appreciate it. Just wanted to err on the side of caution as (understandably) copyright is a sensitive topic. Think I've got it now. I'll continue on with the PR with self-review until it is ready for review (i.e. mergeable should no other issues come up). |
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
TODO: document mounting of /proc. This is intentionally missing for now until dinit's behaviour regarding the mounting of /proc directly itself for selinux_transition is decided. Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Note: unfinished Signed-off-by: Rahul Sandhu <[email protected]>
There is little need to use type inference for errno_str; just use char * for clarity Signed-off-by: Rahul Sandhu <[email protected]>
Implements #399 . Currently a draft PR for some of the reasons noted in that issue. Another thing to add:
fprintfif the SELinux policy fails to load (as/dev/consoleis likely unable to be accessed at that point). Would you preferstd::coutto be used for now in this case?