Re: The future of the boot system in Debian
Package: upstart
Severity: wishlist
Version: 0.6.3
Tags: patch
On Sat, Sep 05 2009, Manoj Srivastava wrote:
> One of the features missing in upstart that is present in
> sysvinit is that the latter loads SELinux security policy early in the
> boot sequence, and the former does not (please correct me if this is not
> the case). I would be happy to help integrate selinux into upstart,
> if that is the future of booting in Debian.
>
> Having /sbin/init load the security policy is good because:
> a) Doing it in an init script makes it easier to by pass security by
> running another script earlier (so a malicious superuser may
> trivially bypass security on reboot). This is even harder to prevent
> using an event based system.
> b) Using an init script makes it impossible to enforce security
> policies and access control over which files /sbin/init may read,
> c) Since it is compiled in, there is no dependency on things in
> /usr/bin -- like load_policy, which also needs libsepol1 from /usr,
> which is not small,
> d) Putting policy loading in initramfs is bad for two reasons:
> i) It means we would not longer suport SELinux use without having to
> use initramfs -- my machines do not use either an initramfs, nor
> modules -- which is easy when using custome kernels, and I think
> is a use case Debian should continue to support
> ii) We would need to either patch something in the initramfs to link
> with libselinux1, to load policy directly, or we will have to
> load into the initramfs load_policy and libsepol1 from /usr,
> Adding a couple f small hunks to whatever provides /sbin/init
> seems easier.
> e) At this point, we only have two candidates for /sbin/init, sysvinit
> and upstart, so the burden of writing patches is no onerous, and in
> any case, I am volunteering to help create the patches.
Well, here is a (lightly) tested patch for upstart.
manoj
.../debian/changelog | 11 ++
.../debian/control | 4 +-
.../debian/patches/001-selinux-support | 132 ++++++++++++++++++++
.../debian/patches/series | 1 +
{upstart-0.6.3.orig => upstart-0.6.3}/debian/rules | 4 +
5 files changed, 151 insertions(+), 1 deletions(-)
diff --git upstart-0.6.3.orig/debian/changelog upstart-0.6.3/debian/changelog
index be2b21f..afaf59a 100644
--- upstart-0.6.3.orig/debian/changelog
+++ upstart-0.6.3/debian/changelog
@@ -1,3 +1,14 @@
+upstart (0.6.3-1.1) UNRELEASED; urgency=low
+
+ * Add support for loading SELinux policy early in the boot
+ sequence. This changeset adds conditional support for loading SELinux
+ policy early in the boot sequence if a) it is enabled at compile time,
+ and b) the machine has SELinux enabled at run time. Also, since the
+ SELinux support patch is conditionally effective, this patch adds
+ support for enabling it on Linux architectures.
+
+ -- Manoj Srivastava <srivasta@debian.org> Sat, 05 Sep 2009 12:15:46 -0500
+
upstart (0.6.3-1) unstable; urgency=low
* New upstream release.
diff --git upstart-0.6.3.orig/debian/control upstart-0.6.3/debian/control
index 2c6226b..c4aa61f 100644
--- upstart-0.6.3.orig/debian/control
+++ upstart-0.6.3/debian/control
@@ -4,7 +4,9 @@ Priority: extra
Maintainer: Michael Biebl <biebl@debian.org>
Uploaders: martin f. krafft <madduck@debian.org>
Standards-Version: 3.8.2
-Build-Depends: debhelper (>= 7), quilt, pkg-config (>= 0.22), libdbus-1-dev (>= 1.2.16), libexpat1-dev (>= 2.0.0)
+Build-Depends: debhelper (>= 7), quilt, pkg-config (>= 0.22), libdbus-1-dev (>= 1.2.16), libexpat1-dev (>= 2.0.0),
+ libselinux1-dev (>= 1.14) [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64],
+ libsepol1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64]
Vcs-Git: git://git.debian.org/git/collab-maint/upstart.git
Vcs-Browser: http://git.debian.org/?p=collab-maint/upstart.git;a=summary
Homepage: http://upstart.ubuntu.com/
diff --git upstart-0.6.3/debian/patches/001-selinux-support upstart-0.6.3/debian/patches/001-selinux-support
new file mode 100644
index 0000000..bceec13
--- /dev/null
+++ upstart-0.6.3/debian/patches/001-selinux-support
@@ -0,0 +1,132 @@
+From 75658fbccea3fe087f1fa5a4971e4319a05201a1 Mon Sep 17 00:00:00 2001
+From: Manoj Srivastava <srivasta@debian.org>
+Date: Sat, 5 Sep 2009 11:46:45 -0500
+Subject: [PATCH 2/2] Add functionality to load SELinux policy early in boot
+
+This patch is applied conditionally, and unless WITH_SELINUX is defined
+when make is called (that is, at compile time), it does nothing. If
+WITH_SELINUX is set to 'yes' at compile time, this patch, analogous to
+that in sysvinit, checks early to see if SELinux is enabled on the
+machine, and then tries to load policy, If loading policy fails,and if
+SELinux is in enforcing mode, it prevents startup.
+
+If the machine does not have selinux enabled at run time, nothing
+happens.
+
+Signed-off-by: Manoj Srivastava <srivasta@debian.org>
+---
+ init/Makefile.am | 12 ++++++++++--
+ init/Makefile.in | 12 ++++++++++--
+ init/main.c | 22 ++++++++++++++++++++++
+ 3 files changed, 42 insertions(+), 4 deletions(-)
+
+diff --git a/init/Makefile.am b/init/Makefile.am
+index c1a8a3c..6119998 100644
+--- a/init/Makefile.am
++++ b/init/Makefile.am
+@@ -5,7 +5,15 @@ initconfdir = $(sysconfdir)/init
+ AM_CFLAGS = \
+ $(DBUS_CFLAGS)
+
+-AM_CPPFLAGS = \
++ifeq ($(WITH_SELINUX),yes)
++ SELINUX_DEF=-DWITH_SELINUX
++ INIT_SELIBS=-lsepol -lselinux
++else
++ SELINUX_DEF=
++ INIT_SELIBS=
++endif
++
++AM_CPPFLAGS = $(SELINUX_DEF) \
+ -DLOCALEDIR="\"$(localedir)\"" \
+ -DCONFFILE="\"$(sysconfdir)/init.conf\"" \
+ -DCONFDIR="\"$(initconfdir)\"" \
+@@ -58,7 +66,7 @@ init_LDADD = \
+ ../nih-dbus/libnih-dbus.la \
+ $(LTLIBINTL) \
+ $(DBUS_LIBS) \
+- -lrt
++ $(INIT_SELIBS) -lrt
+
+
+ com_ubuntu_Upstart_OUTPUTS = \
+diff --git a/init/Makefile.in b/init/Makefile.in
+index 4042358..a0b79cf 100644
+--- a/init/Makefile.in
++++ b/init/Makefile.in
+@@ -426,7 +426,15 @@ initconfdir = $(sysconfdir)/init
+ AM_CFLAGS = \
+ $(DBUS_CFLAGS)
+
+-AM_CPPFLAGS = \
++ifeq ($(WITH_SELINUX),yes)
++ SELINUX_DEF=-DWITH_SELINUX
++ INIT_SELIBS=-lsepol -lselinux
++else
++ SELINUX_DEF=
++ INIT_SELIBS=
++endif
++
++AM_CPPFLAGS = $(SELINUX_DEF) \
+ -DLOCALEDIR="\"$(localedir)\"" \
+ -DCONFFILE="\"$(sysconfdir)/init.conf\"" \
+ -DCONFDIR="\"$(initconfdir)\"" \
+@@ -477,7 +485,7 @@ init_LDADD = \
+ ../nih-dbus/libnih-dbus.la \
+ $(LTLIBINTL) \
+ $(DBUS_LIBS) \
+- -lrt
++ $(INIT_SELIBS) -lrt
+
+ com_ubuntu_Upstart_OUTPUTS = \
+ com.ubuntu.Upstart.c \
+diff --git a/init/main.c b/init/main.c
+index 2836583..6e76637 100644
+--- a/init/main.c
++++ b/init/main.c
+@@ -58,6 +58,9 @@
+ #include "conf.h"
+ #include "control.h"
+
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#endif
+
+ /* Prototypes for static functions */
+ #ifndef DEBUG
+@@ -107,6 +110,9 @@ main (int argc,
+ {
+ char **args;
+ int ret;
++#ifdef WITH_SELINUX
++ int enforce = 0;
++#endif
+
+ argv0 = argv[0];
+ nih_main_init (argv0);
+@@ -137,6 +143,22 @@ main (int argc,
+ exit (1);
+ }
+
++#ifdef WITH_SELINUX
++ if (getenv("SELINUX_INIT") == NULL && !is_selinux_enabled()) {
++ putenv("SELINUX_INIT=YES");
++ if (selinux_init_load_policy(&enforce) == 0 ) {
++ execv(argv0, argv);
++ } else {
++ if (enforce > 0) {
++ /* SELinux in enforcing mode but load_policy failed */
++ /* At this point, we probably can't open /dev/console, so log() won't work */
++ fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
++ exit(1);
++ }
++ }
++ }
++#endif
++
+ /* Clear our arguments from the command-line, so that we show up in
+ * ps or top output as /sbin/init, with no extra flags.
+ *
+--
+1.6.3.3
+
diff --git upstart-0.6.3.orig/debian/patches/series upstart-0.6.3/debian/patches/series
index e27047c..5352374 100644
--- upstart-0.6.3.orig/debian/patches/series
+++ upstart-0.6.3/debian/patches/series
@@ -1 +1,2 @@
# Debian patches for upstart
+001-selinux-support
diff --git upstart-0.6.3.orig/debian/rules upstart-0.6.3/debian/rules
index bdf25b9..e0b2d9f 100755
--- upstart-0.6.3.orig/debian/rules
+++ upstart-0.6.3/debian/rules
@@ -46,7 +46,11 @@ build: build-stamp
build-stamp: config.status
dh_testdir
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+ $(MAKE) WITH_SELINUX="yes"
+else
$(MAKE)
+endif
touch $@
# Install the package underneath debian/tmp
--
I would rather say that a desire to drive fast sports cars is what sets
man apart from the animals.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: