busybox: alternatives link to sh wrappers for commands

While directly using busybox[.[no]suid] as the alternatives' targets, commands could not get correct security labels. ~# ls -l /sbin/getty ..... /sbin/getty -> /bin/busybox.nosuid ~# ls -Z /bin/busybox.nosuid system_u:object_r:bin_t:s0 /bin/busybox.nosuid Add sh wrappers for commands so selinux could work fine. ~# ls -l /sbin/getty ..... /sbin/getty -> /usr/lib/busybox/sbin/getty ~# ls -Z /usr/lib/busybox/sbin/getty system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty ~# cat /usr/lib/busybox/sbin/getty #!/bin/busybox.nosuid Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Xin Ouyang <Xin.Ouyang@windriver.com> 2013-09-23 21:18:05 +0800
committer: Joe MacDonald <joe@deserted.net> 2013-10-02 13:24:45 -0400
commit: 521ca9c9cf370840e9f8c808a7955aa5da7c356e (patch)
tree: d8883798d9ef8e7a0b86ac1958e322053e8f6574
parent: 20153c8810cecc31873fbe14bb1695a85b77cef4 (diff)
download: meta-selinux-521ca9c9cf370840e9f8c808a7955aa5da7c356e.tar.gz
3 files changed, 94 insertions, 2 deletions
diff --git a/recipes-core/busybox/busybox_1.21.1.bbappend b/recipes-core/busybox/busybox_1.21.1.bbappend
new file mode 100644
index 0000000..b4935b2
--- /dev/null
+++ b/recipes-core/busybox/busybox_1.21.1.bbappend
@@ -0,0 +1,87 @@
+PR .= ".1"
+FILES_${PN} += "${libdir}/${PN}"
+# We should use sh wrappers instead of links so the commands could get correct
+# security labels
+python create_sh_wrapper_reset_alternative_vars () {
+    # We need to load the full set of busybox provides from the /etc/busybox.links
+    # Use this to see the update-alternatives with the right information
+    dvar = d.getVar('D', True)
+    pn = d.getVar('PN', True)
+    def create_sh_alternative_vars(links, target, mode):
+        import shutil
+        # Create sh wrapper template
+        fwp = open("busybox_wrapper", 'w')
+        fwp.write("#!%s" % (target))
+        os.fchmod(fwp.fileno(), mode)
+        fwp.close()
+        # Install the sh wrappers and alternatives reset to link to them
+        wpdir = os.path.join(d.getVar('libdir', True), pn)
+        wpdir_dest = '%s%s' % (dvar, wpdir)
+        if not os.path.exists(wpdir_dest):
+            os.makedirs(wpdir_dest)
+        f = open('%s%s' % (dvar, links), 'r')
+        for alt_link_name in f:
+            alt_link_name = alt_link_name.strip()
+            alt_name = os.path.basename(alt_link_name)
+            # Copy script wrapper to wp_path
+            alt_wppath = '%s%s' % (wpdir, alt_link_name)
+            alt_wppath_dest = '%s%s' % (wpdir_dest, alt_link_name) 
+            alt_wpdir_dest = os.path.dirname(alt_wppath_dest)
+            if not os.path.exists(alt_wpdir_dest):
+                os.makedirs(alt_wpdir_dest)
+            shutil.copy2("busybox_wrapper", alt_wppath_dest)
+            # Re-set alternatives
+            # Match coreutils
+            if alt_name == '[':
+                alt_name = 'lbracket'
+            d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name)
+            d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name)
+            if os.path.exists(alt_wppath_dest):
+                d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath)
+        f.close()
+        os.remove("busybox_wrapper")
+        return
+    if os.path.exists('%s/etc/busybox.links' % (dvar)):
+        create_sh_alternative_vars("/etc/busybox.links", "/bin/busybox", 0o0755)
+    else:
+        create_sh_alternative_vars("/etc/busybox.links.nosuid", "/bin/busybox.nosuid", 0o0755)
+        create_sh_alternative_vars("/etc/busybox.links.suid", "/bin/busybox.suid", 0o4755)
+}
+# Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in
+# do_package_prepend() section of busybox_*.bb.
+PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars "
+# Use sh wrappers instead of links
+pkg_postinst_${PN} () {
+        # This part of code is dedicated to the on target upgrade problem.
+        # It's known that if we don't make appropriate symlinks before update-alternatives calls,
+        # there will be errors indicating missing commands such as 'sed'.
+        # These symlinks will later be updated by update-alternatives calls.
+        test -n 2 > /dev/null || alias test='busybox test'
+        if test "x$D" = "x"; then
+                # Remove busybox.nosuid if it's a symlink, because this situation indicates
+                # that we're installing or upgrading to a one-binary busybox.
+                if test -h /bin/busybox.nosuid; then
+                        rm -f /bin/busybox.nosuid
+                fi
+                for suffix in "" ".nosuid" ".suid"; do
+                        if test -e /etc/busybox.links$suffix; then
+                                while read link; do
+                                        if test ! -e "$link"; then
+                                                # we can use busybox here because even if we are using splitted busybox
+                                                # we've made a symlink from /bin/busybox to /bin/busybox.nosuid.
+                                                busybox echo "#!/bin/busybox$suffix" > $link
+                                        fi
+                                done < /etc/busybox.links$suffix
+                        fi
+                done
+        fi
+}
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch
index 2eaecdf..4058b18 100644
--- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch
@@ -8,13 +8,13 @@ Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ---
 config/file_contexts.subs_dist |    8 ++++++++
- 1 files changed, 8 insertions(+), 0 deletions(-)
+ 1 files changed, 11 insertions(+), 0 deletions(-)
 diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
 index 32b87a4..ebba73d 100644
 --- a/config/file_contexts.subs_dist
 +++ b/config/file_contexts.subs_dist
-@@ -5,3 +5,11 @@
+@@ -5,3 +5,14 @@
 /usr/lib32 /usr/lib
 /usr/lib64 /usr/lib
 /var/run/lock /var/lock
@@ -26,6 +26,9 @@ index 32b87a4..ebba73d 100644
 +/var/volatile/lock /var/lock
 +/var/volatile/run/lock /var/lock
 +/www /var/www
+/usr/lib/busybox/bin /bin
+/usr/lib/busybox/sbin /sbin
+/usr/lib/busybox/usr /usr
 -- 
 1.7.5.4
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index d081e33..6871813 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -1,3 +1,5 @@
+PRINC = "1"
 SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;"
 SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085"
 SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4"
author	Xin Ouyang <Xin.Ouyang@windriver.com>	2013-09-23 21:18:05 +0800
committer	Joe MacDonald <joe@deserted.net>	2013-10-02 13:24:45 -0400
commit	521ca9c9cf370840e9f8c808a7955aa5da7c356e (patch)
tree	d8883798d9ef8e7a0b86ac1958e322053e8f6574
parent	20153c8810cecc31873fbe14bb1695a85b77cef4 (diff)
download	meta-selinux-521ca9c9cf370840e9f8c808a7955aa5da7c356e.tar.gz

diff --git a/recipes-core/busybox/busybox_1.21.1.bbappend b/recipes-core/busybox/busybox_1.21.1.bbappend new file mode 100644 index 0000000..b4935b2 --- /dev/null +++ b/recipes-core/busybox/busybox_1.21.1.bbappend
@@ -0,0 +1,87 @@
		1	PR .= ".1"
		2
		3	FILES_${PN} += "${libdir}/${PN}"
		4
		5	# We should use sh wrappers instead of links so the commands could get correct
		6	# security labels
		7	python create_sh_wrapper_reset_alternative_vars () {
		8	# We need to load the full set of busybox provides from the /etc/busybox.links
		9	# Use this to see the update-alternatives with the right information
		10
		11	dvar = d.getVar('D', True)
		12	pn = d.getVar('PN', True)
		13
		14	def create_sh_alternative_vars(links, target, mode):
		15	import shutil
		16	# Create sh wrapper template
		17	fwp = open("busybox_wrapper", 'w')
		18	fwp.write("#!%s" % (target))
		19	os.fchmod(fwp.fileno(), mode)
		20	fwp.close()
		21	# Install the sh wrappers and alternatives reset to link to them
		22	wpdir = os.path.join(d.getVar('libdir', True), pn)
		23	wpdir_dest = '%s%s' % (dvar, wpdir)
		24	if not os.path.exists(wpdir_dest):
		25	os.makedirs(wpdir_dest)
		26	f = open('%s%s' % (dvar, links), 'r')
		27	for alt_link_name in f:
		28	alt_link_name = alt_link_name.strip()
		29	alt_name = os.path.basename(alt_link_name)
		30	# Copy script wrapper to wp_path
		31	alt_wppath = '%s%s' % (wpdir, alt_link_name)
		32	alt_wppath_dest = '%s%s' % (wpdir_dest, alt_link_name)
		33	alt_wpdir_dest = os.path.dirname(alt_wppath_dest)
		34	if not os.path.exists(alt_wpdir_dest):
		35	os.makedirs(alt_wpdir_dest)
		36	shutil.copy2("busybox_wrapper", alt_wppath_dest)
		37	# Re-set alternatives
		38	# Match coreutils
		39	if alt_name == '[':
		40	alt_name = 'lbracket'
		41	d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name)
		42	d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name)
		43	if os.path.exists(alt_wppath_dest):
		44	d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath)
		45	f.close()
		46
		47	os.remove("busybox_wrapper")
		48	return
		49
		50	if os.path.exists('%s/etc/busybox.links' % (dvar)):
		51	create_sh_alternative_vars("/etc/busybox.links", "/bin/busybox", 0o0755)
		52	else:
		53	create_sh_alternative_vars("/etc/busybox.links.nosuid", "/bin/busybox.nosuid", 0o0755)
		54	create_sh_alternative_vars("/etc/busybox.links.suid", "/bin/busybox.suid", 0o4755)
		55	}
		56
		57	# Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in
		58	# do_package_prepend() section of busybox_*.bb.
		59	PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars "
		60
		61	# Use sh wrappers instead of links
		62	pkg_postinst_${PN} () {
		63	# This part of code is dedicated to the on target upgrade problem.
		64	# It's known that if we don't make appropriate symlinks before update-alternatives calls,
		65	# there will be errors indicating missing commands such as 'sed'.
		66	# These symlinks will later be updated by update-alternatives calls.
		67	test -n 2 > /dev/null \|\| alias test='busybox test'
		68	if test "x$D" = "x"; then
		69	# Remove busybox.nosuid if it's a symlink, because this situation indicates
		70	# that we're installing or upgrading to a one-binary busybox.
		71	if test -h /bin/busybox.nosuid; then
		72	rm -f /bin/busybox.nosuid
		73	fi
		74	for suffix in "" ".nosuid" ".suid"; do
		75	if test -e /etc/busybox.links$suffix; then
		76	while read link; do
		77	if test ! -e "$link"; then
		78	# we can use busybox here because even if we are using splitted busybox
		79	# we've made a symlink from /bin/busybox to /bin/busybox.nosuid.
		80	busybox echo "#!/bin/busybox$suffix" > $link
		81	fi
		82	done < /etc/busybox.links$suffix
		83	fi
		84	done
		85	fi
		86	}
		87


diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch index 2eaecdf..4058b18 100644 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch
@@ -8,13 +8,13 @@ Upstream-Status: Inappropriate [only for Poky]
8	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>	8	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9	---	9	---
10	config/file_contexts.subs_dist \| 8 ++++++++	10	config/file_contexts.subs_dist \| 8 ++++++++
11	1 files changed, 8 insertions(+), 0 deletions(-)	11	1 files changed, 11 insertions(+), 0 deletions(-)
12		12
13	diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist	13	diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
14	index 32b87a4..ebba73d 100644	14	index 32b87a4..ebba73d 100644
15	--- a/config/file_contexts.subs_dist	15	--- a/config/file_contexts.subs_dist
16	+++ b/config/file_contexts.subs_dist	16	+++ b/config/file_contexts.subs_dist
17	@@ -5,3 +5,11 @@	17	@@ -5,3 +5,14 @@
18	/usr/lib32 /usr/lib	18	/usr/lib32 /usr/lib
19	/usr/lib64 /usr/lib	19	/usr/lib64 /usr/lib
20	/var/run/lock /var/lock	20	/var/run/lock /var/lock
@@ -26,6 +26,9 @@ index 32b87a4..ebba73d 100644
26	+/var/volatile/lock /var/lock	26	+/var/volatile/lock /var/lock
27	+/var/volatile/run/lock /var/lock	27	+/var/volatile/run/lock /var/lock
28	+/www /var/www	28	+/www /var/www
		29	+/usr/lib/busybox/bin /bin
		30	+/usr/lib/busybox/sbin /sbin
		31	+/usr/lib/busybox/usr /usr
29	--	32	--
30	1.7.5.4	33	1.7.5.4
31		34


diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc index d081e33..6871813 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -1,3 +1,5 @@
		1	PRINC = "1"
		2
1	SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;"	3	SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;"
2	SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085"	4	SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085"
3	SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4"	5	SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4"