[OpenWrt-Devel] [PATCH 2/7] package/system/procd: add SELinux support

Thomas Petazzoni thomas.petazzoni at bootlin.com
Fri Nov 22 01:55:36 PST 2019


This commit adds a patch to procd to support loading the SELinux
policy early at boot time, and adjusts the procd package to use this
SELinux support when libselinux is enabled.

The procd patch has been submitted separately [1]: obviously the
intent is to have it merged in the procd Git repository rather than
have it in OpenWrt itself.

[1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/020070.html

Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
---
 package/system/procd/Makefile                 |   5 +-
 ...inimal-SELinux-policy-loading-suppor.patch | 110 ++++++++++++++++++
 2 files changed, 113 insertions(+), 2 deletions(-)
 create mode 100644 package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch

diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile
index c4b86ba746..53d9e1120f 100644
--- a/package/system/procd/Makefile
+++ b/package/system/procd/Makefile
@@ -43,7 +43,7 @@ TARGET_LDFLAGS += -flto
 define Package/procd
   SECTION:=base
   CATEGORY:=Base system
-  DEPENDS:=+ubusd +ubus +libjson-script +ubox +USE_GLIBC:librt +libubox +libubus +libblobmsg-json +libjson-c
+  DEPENDS:=+ubusd +ubus +libjson-script +ubox +USE_GLIBC:librt +libubox +libubus +libblobmsg-json +libjson-c +PACKAGE_libselinux:libselinux
   TITLE:=OpenWrt system process manager
   USERID:=:dialout=20 :audio=29
 endef
@@ -92,7 +92,8 @@ ifdef CONFIG_PACKAGE_procd-ujail
 endif
 
 SECCOMP=$(if $(CONFIG_PACKAGE_procd-seccomp),1,0)
-CMAKE_OPTIONS += -DSECCOMP_SUPPORT=$(SECCOMP) -DUTRACE_SUPPORT=$(SECCOMP)
+SELINUX=$(if $(CONFIG_PACKAGE_libselinux),1,0)
+CMAKE_OPTIONS += -DSECCOMP_SUPPORT=$(SECCOMP) -DUTRACE_SUPPORT=$(SECCOMP) -DSELINUX=$(SELINUX)
 
 define Package/procd/install
 	$(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions
diff --git a/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch b/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch
new file mode 100644
index 0000000000..cfab059b40
--- /dev/null
+++ b/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch
@@ -0,0 +1,110 @@
+From fe74ad8b11977d0ced5c44f5e389c50ee70bc008 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
+Date: Thu, 23 May 2019 13:57:30 +0200
+Subject: [PATCH] initd/init: add minimal SELinux policy loading support
+
+In order to support SELinux in OpenWRT, this commit introduces minimal
+support for loading the SELinux policy in the init code. The logic is
+very much inspired from what Busybox is doing: call
+selinux_init_load_policy() from libselinux, and then re-execute init
+so that it runs with the SELinux policy in place and enforced.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
+---
+ CMakeLists.txt |  9 ++++++++-
+ initd/init.c   | 38 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 4b3eebd..865e43c 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -40,6 +40,12 @@ IF(ZRAM_TMPFS)
+   SET(SOURCES_ZRAM initd/zram.c)
+ ENDIF()
+ 
++IF(SELINUX)
++  include(FindPkgConfig)
++  pkg_search_module(SELINUX REQUIRED libselinux)
++  add_compile_definitions(WITH_SELINUX)
++ENDIF()
++
+ add_subdirectory(upgraded)
+ 
+ ADD_EXECUTABLE(procd ${SOURCES})
+@@ -56,7 +62,8 @@ ADD_DEFINITIONS(-DDISABLE_INIT)
+ ELSE()
+ ADD_EXECUTABLE(init initd/init.c initd/early.c initd/preinit.c initd/mkdev.c sysupgrade.c watchdog.c
+ 	utils/utils.c ${SOURCES_ZRAM})
+-TARGET_LINK_LIBRARIES(init ${LIBS})
++TARGET_INCLUDE_DIRECTORIES(init PUBLIC ${SELINUX_INCLUDE_DIRS})
++TARGET_LINK_LIBRARIES(init ${LIBS} ${SELINUX_LIBRARIES})
+ INSTALL(TARGETS init
+ 	RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}
+ )
+diff --git a/initd/init.c b/initd/init.c
+index 29eee50..561970c 100644
+--- a/initd/init.c
++++ b/initd/init.c
+@@ -29,6 +29,10 @@
+ #include <unistd.h>
+ #include <stdio.h>
+ 
++#if defined(WITH_SELINUX)
++#include <selinux/selinux.h>
++#endif
++
+ #include "../utils/utils.h"
+ #include "init.h"
+ #include "../watchdog.h"
+@@ -67,6 +71,38 @@ cmdline(void)
+ 	}
+ }
+ 
++#if defined(WITH_SELINUX)
++static int
++selinux(char **argv)
++{
++	int enforce = 0;
++	int ret;
++
++	/* SELinux already initialized */
++	if (getenv("SELINUX_INIT"))
++		return 0;
++
++	putenv("SELINUX_INIT=1");
++
++	ret = selinux_init_load_policy(&enforce);
++	if (ret == 0)
++		execv(argv[0], argv);
++
++	if (enforce > 0) {
++		fprintf(stderr, "Cannot load SELinux policy, but system in enforcing mode. Halting.\n");
++		return 1;
++	}
++
++	return 0;
++}
++#else
++static int
++selinux(char **argv)
++{
++	return 0;
++}
++#endif
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -79,6 +115,8 @@ main(int argc, char **argv)
+ 	sigaction(SIGUSR2, &sa_shutdown, NULL);
+ 	sigaction(SIGPWR, &sa_shutdown, NULL);
+ 
++	if (selinux(argv))
++		exit(-1);
+ 	early();
+ 	cmdline();
+ 	watchdog_init(1);
+-- 
+2.21.0
+
-- 
2.23.0




More information about the openwrt-devel mailing list