Re: The future of the boot system in Debian

To: debian-devel@lists.debian.org
Cc: selinux-devel@lists.alioth.debian.org
Subject: Re: The future of the boot system in Debian
From: Manoj Srivastava <srivasta@debian.org>
Date: Sun, 06 Sep 2009 01:45:35 -0500
Message-id: <[🔎] 87r5ukbmgg.fsf@anzu.internal.golden-gryphon.com>
Mail-followup-to: debian-devel@lists.debian.org, selinux-devel@lists.alioth.debian.org
In-reply-to: <[🔎] 87ab19ld6c.fsf@anzu.internal.golden-gryphon.com> (Manoj Srivastava's message of "Sat, 05 Sep 2009 08:43:39 -0500")
References: <2fl1vmlwsbn.fsf@login2.uio.no> <[🔎] 87ab19ld6c.fsf@anzu.internal.golden-gryphon.com>

Package: upstart
Severity: wishlist
Version: 0.6.3
Tags: patch

On Sat, Sep 05 2009, Manoj Srivastava wrote:

>         One of the features missing in upstart that is present in
>  sysvinit is that the latter loads SELinux security policy early in the
>  boot sequence, and the former does not (please correct me if this is not
>  the case).  I would be happy to help integrate selinux  into upstart,
>  if that is the future of booting in Debian.
>
>         Having /sbin/init load the security policy is good because:
>  a) Doing it in an init script  makes it easier to by pass security by
>     running another script earlier (so a malicious superuser may
>     trivially bypass security on reboot). This is even harder to prevent
>     using an event based system.
>  b) Using an init script makes it impossible to enforce security
>     policies and access control over which files /sbin/init may read,
>  c) Since it is compiled in, there is no dependency on things in
>     /usr/bin -- like load_policy, which also needs libsepol1 from /usr,
>     which is not small,
>  d) Putting policy loading in initramfs is bad for two reasons:
>     i) It means we would not longer suport SELinux use without having to
>        use initramfs -- my machines do not use either an initramfs, nor
>        modules -- which is easy when using custome kernels, and I think
>        is a use case Debian should continue to support
>    ii) We would need to either patch something in the initramfs to link
>        with libselinux1, to load policy directly, or we will have to
>        load into the initramfs load_policy and libsepol1 from /usr,
>        Adding a couple f small hunks to whatever provides /sbin/init
>        seems easier.
>  e) At this point, we only have two candidates for /sbin/init, sysvinit
>     and upstart, so the burden of writing patches is no onerous, and in
>     any case, I am volunteering to help create the patches.

        Well, here is a (lightly) tested patch for upstart.

        manoj

 .../debian/changelog                               |   11 ++
 .../debian/control                                 |    4 +-
 .../debian/patches/001-selinux-support             |  132 ++++++++++++++++++++
 .../debian/patches/series                          |    1 +
 {upstart-0.6.3.orig => upstart-0.6.3}/debian/rules |    4 +
 5 files changed, 151 insertions(+), 1 deletions(-)

diff --git upstart-0.6.3.orig/debian/changelog upstart-0.6.3/debian/changelog
index be2b21f..afaf59a 100644
--- upstart-0.6.3.orig/debian/changelog
+++ upstart-0.6.3/debian/changelog
@@ -1,3 +1,14 @@
+upstart (0.6.3-1.1) UNRELEASED; urgency=low
+
+  * Add support for loading SELinux policy early in the boot
+    sequence. This changeset adds conditional support for loading SELinux
+    policy early in the boot sequence if a) it is enabled at compile time,
+    and b) the machine has SELinux enabled at run time.  Also, since the
+    SELinux support patch is conditionally effective, this patch adds
+    support for enabling it on Linux architectures. 
+
+ -- Manoj Srivastava <srivasta@debian.org>  Sat, 05 Sep 2009 12:15:46 -0500
+
 upstart (0.6.3-1) unstable; urgency=low
 
   * New upstream release.
diff --git upstart-0.6.3.orig/debian/control upstart-0.6.3/debian/control
index 2c6226b..c4aa61f 100644
--- upstart-0.6.3.orig/debian/control
+++ upstart-0.6.3/debian/control
@@ -4,7 +4,9 @@ Priority: extra
 Maintainer: Michael Biebl <biebl@debian.org>
 Uploaders: martin f. krafft <madduck@debian.org>
 Standards-Version: 3.8.2
-Build-Depends: debhelper (>= 7), quilt, pkg-config (>= 0.22), libdbus-1-dev (>= 1.2.16), libexpat1-dev (>= 2.0.0)
+Build-Depends: debhelper (>= 7), quilt, pkg-config (>= 0.22), libdbus-1-dev (>= 1.2.16), libexpat1-dev (>= 2.0.0),
+               libselinux1-dev (>= 1.14) [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64],
+               libsepol1-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64]
 Vcs-Git: git://git.debian.org/git/collab-maint/upstart.git
 Vcs-Browser: http://git.debian.org/?p=collab-maint/upstart.git;a=summary
 Homepage: http://upstart.ubuntu.com/
diff --git upstart-0.6.3/debian/patches/001-selinux-support upstart-0.6.3/debian/patches/001-selinux-support
new file mode 100644
index 0000000..bceec13
--- /dev/null
+++ upstart-0.6.3/debian/patches/001-selinux-support
@@ -0,0 +1,132 @@
+From 75658fbccea3fe087f1fa5a4971e4319a05201a1 Mon Sep 17 00:00:00 2001
+From: Manoj Srivastava <srivasta@debian.org>
+Date: Sat, 5 Sep 2009 11:46:45 -0500
+Subject: [PATCH 2/2] Add functionality to load SELinux policy early in boot
+
+This patch is applied conditionally, and unless WITH_SELINUX is defined
+when make is called (that is, at compile time), it does nothing. If
+WITH_SELINUX is set to 'yes' at compile time, this patch, analogous to
+that in sysvinit, checks early to see if SELinux is enabled on the
+machine, and then tries to load policy, If loading policy fails,and if
+SELinux is in enforcing mode, it prevents startup.
+
+If the machine does not have selinux enabled at run time, nothing
+happens.
+
+Signed-off-by: Manoj Srivastava <srivasta@debian.org>
+---
+ init/Makefile.am |   12 ++++++++++--
+ init/Makefile.in |   12 ++++++++++--
+ init/main.c      |   22 ++++++++++++++++++++++
+ 3 files changed, 42 insertions(+), 4 deletions(-)
+
+diff --git a/init/Makefile.am b/init/Makefile.am
+index c1a8a3c..6119998 100644
+--- a/init/Makefile.am
++++ b/init/Makefile.am
+@@ -5,7 +5,15 @@ initconfdir = $(sysconfdir)/init
+ AM_CFLAGS = \
+ 	$(DBUS_CFLAGS)
+ 
+-AM_CPPFLAGS = \
++ifeq ($(WITH_SELINUX),yes)
++  SELINUX_DEF=-DWITH_SELINUX
++  INIT_SELIBS=-lsepol -lselinux
++else
++  SELINUX_DEF=
++  INIT_SELIBS=
++endif
++
++AM_CPPFLAGS = $(SELINUX_DEF) \
+ 	-DLOCALEDIR="\"$(localedir)\"" \
+ 	-DCONFFILE="\"$(sysconfdir)/init.conf\"" \
+ 	-DCONFDIR="\"$(initconfdir)\"" \
+@@ -58,7 +66,7 @@ init_LDADD = \
+ 	../nih-dbus/libnih-dbus.la \
+ 	$(LTLIBINTL) \
+ 	$(DBUS_LIBS) \
+-	-lrt
++	$(INIT_SELIBS) -lrt
+ 
+ 
+ com_ubuntu_Upstart_OUTPUTS = \
+diff --git a/init/Makefile.in b/init/Makefile.in
+index 4042358..a0b79cf 100644
+--- a/init/Makefile.in
++++ b/init/Makefile.in
+@@ -426,7 +426,15 @@ initconfdir = $(sysconfdir)/init
+ AM_CFLAGS = \
+ 	$(DBUS_CFLAGS)
+ 
+-AM_CPPFLAGS = \
++ifeq ($(WITH_SELINUX),yes)
++  SELINUX_DEF=-DWITH_SELINUX
++  INIT_SELIBS=-lsepol -lselinux
++else
++  SELINUX_DEF=
++  INIT_SELIBS=
++endif
++
++AM_CPPFLAGS = $(SELINUX_DEF) \
+ 	-DLOCALEDIR="\"$(localedir)\"" \
+ 	-DCONFFILE="\"$(sysconfdir)/init.conf\"" \
+ 	-DCONFDIR="\"$(initconfdir)\"" \
+@@ -477,7 +485,7 @@ init_LDADD = \
+ 	../nih-dbus/libnih-dbus.la \
+ 	$(LTLIBINTL) \
+ 	$(DBUS_LIBS) \
+-	-lrt
++	$(INIT_SELIBS) -lrt
+ 
+ com_ubuntu_Upstart_OUTPUTS = \
+ 	com.ubuntu.Upstart.c \
+diff --git a/init/main.c b/init/main.c
+index 2836583..6e76637 100644
+--- a/init/main.c
++++ b/init/main.c
+@@ -58,6 +58,9 @@
+ #include "conf.h"
+ #include "control.h"
+ 
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#endif
+ 
+ /* Prototypes for static functions */
+ #ifndef DEBUG
+@@ -107,6 +110,9 @@ main (int   argc,
+ {
+ 	char **args;
+ 	int    ret;
++#ifdef WITH_SELINUX
++        int    enforce = 0;
++#endif
+ 
+ 	argv0 = argv[0];
+ 	nih_main_init (argv0);
+@@ -137,6 +143,22 @@ main (int   argc,
+ 		exit (1);
+ 	}
+ 
++#ifdef WITH_SELINUX
++        if (getenv("SELINUX_INIT") == NULL && !is_selinux_enabled()) {
++          putenv("SELINUX_INIT=YES");
++          if (selinux_init_load_policy(&enforce) == 0 ) {
++            execv(argv0, argv);
++          } else {
++            if (enforce > 0) {
++              /* SELinux in enforcing mode but load_policy failed */
++              /* At this point, we probably can't open /dev/console, so log() won't work */
++              fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
++              exit(1);
++            }
++          }
++        }
++#endif
++
+ 	/* Clear our arguments from the command-line, so that we show up in
+ 	 * ps or top output as /sbin/init, with no extra flags.
+ 	 *
+-- 
+1.6.3.3
+
diff --git upstart-0.6.3.orig/debian/patches/series upstart-0.6.3/debian/patches/series
index e27047c..5352374 100644
--- upstart-0.6.3.orig/debian/patches/series
+++ upstart-0.6.3/debian/patches/series
@@ -1 +1,2 @@
 # Debian patches for upstart
+001-selinux-support
diff --git upstart-0.6.3.orig/debian/rules upstart-0.6.3/debian/rules
index bdf25b9..e0b2d9f 100755
--- upstart-0.6.3.orig/debian/rules
+++ upstart-0.6.3/debian/rules
@@ -46,7 +46,11 @@ build: build-stamp
 build-stamp: config.status
 	dh_testdir
 
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+	$(MAKE) WITH_SELINUX="yes"
+else
 	$(MAKE)
+endif
 	touch $@
 
 # Install the package underneath debian/tmp


-- 
I would rather say that a desire to drive fast sports cars is what sets
man apart from the animals.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: The future of the boot system in Debian
  - From: Pierre Habouzit <madcoder@madism.org>

References:
- Re: The future of the boot system in Debian
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: The future of the boot system in Debian
Next by Date: Re: The future of the boot system in Debian
Previous by thread: Re: The future of the boot system in Debian
Next by thread: Re: The future of the boot system in Debian
Index(es):
- Date
- Thread