[patch][BusyBox] Domain assignment support for SELinux/AppArmor/LIDS

himainu-ynakam at miomio.jp himainu-ynakam at miomio.jp
Tue Aug 7 21:38:45 PDT 2007


Hello.

We would like to suggest Secure OSes(such as SELinux/AppArmor/LIDS) domain
assignment support for BusyBox. This work is done by Hiroshi Shinji.

1. Background

Secure OSes such as SELinux, AppArmor and LIDS can assign domain to processes.
"Domain" means set of access rights.
Domain is assinged to processes at the time of "exec" system call.
# This is a little similar to "suid" feature of Linux.

For example, in the case of SELinux, /sbin/syslogd is assigned syslogd_t
domain at the execution time of /sbin/syslogd. syslogd_t are allowed to
read syslogd.conf, write log files, etc.

However, current BusyBox does not suitable for assigning domains.
Because BusyBox is a single file that is called through a lot of links.

Secure OS treats "/sbin/syslogd" and "/sbin/httpd" as "/bin/busybox".
So, /sbin/syslogd and /sbin/httpd run as the same domain.

Known solutions to this problem is preparing wrapper program that calls
applet.
  For example, /sbin/syslogd is a small C program that calls
"/bin/busybox syslogd". Then, at the execution of /sbin/syslogd,
syslogd_t domain is assigned and "/bin/busybox syslogd" is called
and inherits assinged domain(syslogd_t).
However, such wrapper consumes storage(more than 1k byte per wrapper).
For detailed description about this problem,
Yusuke Sato wrote documentation:
http://www.selinux.gr.jp/LIDS-JP/LIDS_en/document/general/web_lids_busybox/main.html

2. Our solution
Shinji came up with one idea. He thought "script wrappper" like below.

If you enabled "INSTALL_APPLET_SCRIPT_WRAPPERS", wrappers like below are
installed.

The contents of "/sbin/syslogd" is following.

#!/bin/busybox

It is only 15 byte.

When /sbin/syslogd is executed, "/bin/busybox /sbin/syslogd <other arguments>" is called.

To achive above, we had to modify applets.c

-       applet_name = argv[0];
-       run_applet_and_exit(argv[0], argv);
+       applet_name = bb_get_last_path_component(argv[0]);
+       run_applet_and_exit(applet_name, argv);

We tried the patch for SELinux and AppArmor.
And domains were assigned sucessfully!

3. Limitation
Programs that are used as interpreter can not be installed as script wrapper.
It is due to limitation of exec(interpreter can not be called twice).
For example, /bin/sh can not be installed as script wrapper.
If /bin/sh is installed as script wrapper, shell scripts do not run.
In interpreting #!/bin/sh

-> /bin/sh is #!/bin/busybox,
-> #! is called twice
-> exec system call fails(limitation of exec system call).

In our patch, sh is installed as symlink or hard link by default
(you can install it as script wrapper if you still need).

Assigning domain is critical to secure OSes.
We want way to assign to domains to busybox applets.
Please review this patch and consider merging.

Regards,
Yuichi Nakamura
JSELUG(Japan SELinux Users Group)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: domain_assign.patch
Type: application/octet-stream
Size: 5261 bytes
Desc: not available
Url : http://busybox.net/lists/busybox/attachments/20070808/2cf3f159/attachment-0001.obj 


More information about the busybox mailing list