[LEDE-DEV] running stuff as !root

[David Lang]

On Wed, 18 May 2016, Ferry Huberts wrote:

> On 18/05/16 11:10, David Lang wrote:
>> On Wed, 18 May 2016, Ferry Huberts wrote:
>> 
>>> On 18/05/16 10:03, David Lang wrote:
>>>> On Wed, 18 May 2016, John Crispin wrote:
>>>> 
>>>>> On 18/05/2016 09:46, Ferry Huberts wrote:
>>>>>> 
>>>>>> 
>>>>>> already in-place in Fedora and RedHat/CentOS.
>>>>>> 
>>>>>> You then get even stronger protection and run-time performance
>>>>>> impact is
>>>>>> negligible.
>>>>>> 
>>>>> the stuff i proposed has not runtime hit. selinux is simple to full
>>> 
>>> SELinux's hit is for all intents and purposes zero as well nowadays.
>>> 
>>>>> blown and hard to maintain. the idea would be to create a custom
>>>>> tailored solution for our requirements.
>>>> 
>>>> That is why I prefer AppArmor, you don't have the interaction between
>>>> different application configs that you do with SELinux, so you can focus
>>>> on the specific application that you are concerned about.
>>> 
>>> AppArmor is significantly less secure than SELinux.
>>> And with SELinux you don't need all the preloading stuff that was
>>> talked about, you can just declare which ports are allowed.
>> 
>> tightly configured in expert hands, you are right. However, that's not
>> the normal user of LEDE/OpenWRT. For what (little) it's worth, I'll
>> point out that if home users are familar with Linux, the odds are good
>> that it's a flavor of Ubuntu that uses AA rather than Fedora that uses
>> SELinux. (not worth much because the home user probably hasn't touched
>> AA or SELinux)
>
> That should not be an argument to do one or the other.
> You should ask yourself how far you would want to go in securing a router. 
> Personally, I would absolutely love a router with a tight SELinux policy 
> since it protects me well from unsavory access from the outside.
>
>> 
>> do all the compressed filesystems support the tagging needed by SELinux?
>> what about external drives with FAT* or NTFS?
>
> FAT and NTFS do not support it AFAIK, but how is that a problem?
> You'd run SELinux on your internal filesystem.

it's not uncommon for people to attach an external drive for more space, and 
then have stuff run off of that drive.

If SELinux can't find the appropriate labels, does it deny or allow by default.

One of the things that annoys me about SELinux is the fact that a daemon can 
behave differently depending on if it's started by init, or started by the root 
user. I've fielded a lot of problem reports because something worked fine when 
they tested it as root and then failed when init started the process (also as 
uid 0). I've also seen cases where the testing as root created a file/directory 
with a label that isn't allowed when the process is started by init, so they 
have to detect the problem and remove the file to let it be created in the 
correct context.

> For the compressed filesystems: I don't know, they will probably support it 
> if they're good citizen Linux filesystems.

not all linux filesystems support xattrs.

>
>> 
>> How do you handle the possible need to re-label your files on a
>> read-only filesystem?
>
>
> Don't know, but take a look at Android, it has SELinux enabled in enforcing 
> mode (the strongest mode).

android devices tend to have a lot more storage/ram than many routers. They also 
aren't running on read-only filesystems.

>> what is the difference in kernel size (and tool size) between AA and
>> SELinux?
>> 
>
>
>
> Don't know.
>
>
> For clarity (and for weaseling out): I read a snip of the discussion and 
> wanted to offer another alternative, so that the discussion could consider 
> it.

And I think it's a good thing to bring up and discuss. I happen to dislike 
SELinux and would not have brought up AppArmor until after things were moved to 
not run as root in the first place. But I think it's a good discussion to have.

I am not trying to shout you down, just raising concerns.

David Lang