diff options
author | Xin Ouyang <Xin.Ouyang@windriver.com> | 2013-09-23 21:18:05 +0800 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2013-10-02 13:24:45 -0400 |
commit | 521ca9c9cf370840e9f8c808a7955aa5da7c356e (patch) | |
tree | d8883798d9ef8e7a0b86ac1958e322053e8f6574 | |
parent | 20153c8810cecc31873fbe14bb1695a85b77cef4 (diff) | |
download | meta-selinux-521ca9c9cf370840e9f8c808a7955aa5da7c356e.tar.gz |
busybox: alternatives link to sh wrappers for commands
While directly using busybox[.[no]suid] as the alternatives'
targets, commands could not get correct security labels.
~# ls -l /sbin/getty
..... /sbin/getty -> /bin/busybox.nosuid
~# ls -Z /bin/busybox.nosuid
system_u:object_r:bin_t:s0 /bin/busybox.nosuid
Add sh wrappers for commands so selinux could work fine.
~# ls -l /sbin/getty
..... /sbin/getty -> /usr/lib/busybox/sbin/getty
~# ls -Z /usr/lib/busybox/sbin/getty
system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty
~# cat /usr/lib/busybox/sbin/getty
#!/bin/busybox.nosuid
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
3 files changed, 94 insertions, 2 deletions
diff --git a/recipes-core/busybox/busybox_1.21.1.bbappend b/recipes-core/busybox/busybox_1.21.1.bbappend new file mode 100644 index 0000000..b4935b2 --- /dev/null +++ b/recipes-core/busybox/busybox_1.21.1.bbappend | |||
@@ -0,0 +1,87 @@ | |||
1 | PR .= ".1" | ||
2 | |||
3 | FILES_${PN} += "${libdir}/${PN}" | ||
4 | |||
5 | # We should use sh wrappers instead of links so the commands could get correct | ||
6 | # security labels | ||
7 | python create_sh_wrapper_reset_alternative_vars () { | ||
8 | # We need to load the full set of busybox provides from the /etc/busybox.links | ||
9 | # Use this to see the update-alternatives with the right information | ||
10 | |||
11 | dvar = d.getVar('D', True) | ||
12 | pn = d.getVar('PN', True) | ||
13 | |||
14 | def create_sh_alternative_vars(links, target, mode): | ||
15 | import shutil | ||
16 | # Create sh wrapper template | ||
17 | fwp = open("busybox_wrapper", 'w') | ||
18 | fwp.write("#!%s" % (target)) | ||
19 | os.fchmod(fwp.fileno(), mode) | ||
20 | fwp.close() | ||
21 | # Install the sh wrappers and alternatives reset to link to them | ||
22 | wpdir = os.path.join(d.getVar('libdir', True), pn) | ||
23 | wpdir_dest = '%s%s' % (dvar, wpdir) | ||
24 | if not os.path.exists(wpdir_dest): | ||
25 | os.makedirs(wpdir_dest) | ||
26 | f = open('%s%s' % (dvar, links), 'r') | ||
27 | for alt_link_name in f: | ||
28 | alt_link_name = alt_link_name.strip() | ||
29 | alt_name = os.path.basename(alt_link_name) | ||
30 | # Copy script wrapper to wp_path | ||
31 | alt_wppath = '%s%s' % (wpdir, alt_link_name) | ||
32 | alt_wppath_dest = '%s%s' % (wpdir_dest, alt_link_name) | ||
33 | alt_wpdir_dest = os.path.dirname(alt_wppath_dest) | ||
34 | if not os.path.exists(alt_wpdir_dest): | ||
35 | os.makedirs(alt_wpdir_dest) | ||
36 | shutil.copy2("busybox_wrapper", alt_wppath_dest) | ||
37 | # Re-set alternatives | ||
38 | # Match coreutils | ||
39 | if alt_name == '[': | ||
40 | alt_name = 'lbracket' | ||
41 | d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name) | ||
42 | d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name) | ||
43 | if os.path.exists(alt_wppath_dest): | ||
44 | d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath) | ||
45 | f.close() | ||
46 | |||
47 | os.remove("busybox_wrapper") | ||
48 | return | ||
49 | |||
50 | if os.path.exists('%s/etc/busybox.links' % (dvar)): | ||
51 | create_sh_alternative_vars("/etc/busybox.links", "/bin/busybox", 0o0755) | ||
52 | else: | ||
53 | create_sh_alternative_vars("/etc/busybox.links.nosuid", "/bin/busybox.nosuid", 0o0755) | ||
54 | create_sh_alternative_vars("/etc/busybox.links.suid", "/bin/busybox.suid", 0o4755) | ||
55 | } | ||
56 | |||
57 | # Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in | ||
58 | # do_package_prepend() section of busybox_*.bb. | ||
59 | PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars " | ||
60 | |||
61 | # Use sh wrappers instead of links | ||
62 | pkg_postinst_${PN} () { | ||
63 | # This part of code is dedicated to the on target upgrade problem. | ||
64 | # It's known that if we don't make appropriate symlinks before update-alternatives calls, | ||
65 | # there will be errors indicating missing commands such as 'sed'. | ||
66 | # These symlinks will later be updated by update-alternatives calls. | ||
67 | test -n 2 > /dev/null || alias test='busybox test' | ||
68 | if test "x$D" = "x"; then | ||
69 | # Remove busybox.nosuid if it's a symlink, because this situation indicates | ||
70 | # that we're installing or upgrading to a one-binary busybox. | ||
71 | if test -h /bin/busybox.nosuid; then | ||
72 | rm -f /bin/busybox.nosuid | ||
73 | fi | ||
74 | for suffix in "" ".nosuid" ".suid"; do | ||
75 | if test -e /etc/busybox.links$suffix; then | ||
76 | while read link; do | ||
77 | if test ! -e "$link"; then | ||
78 | # we can use busybox here because even if we are using splitted busybox | ||
79 | # we've made a symlink from /bin/busybox to /bin/busybox.nosuid. | ||
80 | busybox echo "#!/bin/busybox$suffix" > $link | ||
81 | fi | ||
82 | done < /etc/busybox.links$suffix | ||
83 | fi | ||
84 | done | ||
85 | fi | ||
86 | } | ||
87 | |||
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch index 2eaecdf..4058b18 100644 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch | |||
@@ -8,13 +8,13 @@ Upstream-Status: Inappropriate [only for Poky] | |||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | --- | 9 | --- |
10 | config/file_contexts.subs_dist | 8 ++++++++ | 10 | config/file_contexts.subs_dist | 8 ++++++++ |
11 | 1 files changed, 8 insertions(+), 0 deletions(-) | 11 | 1 files changed, 11 insertions(+), 0 deletions(-) |
12 | 12 | ||
13 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist | 13 | diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist |
14 | index 32b87a4..ebba73d 100644 | 14 | index 32b87a4..ebba73d 100644 |
15 | --- a/config/file_contexts.subs_dist | 15 | --- a/config/file_contexts.subs_dist |
16 | +++ b/config/file_contexts.subs_dist | 16 | +++ b/config/file_contexts.subs_dist |
17 | @@ -5,3 +5,11 @@ | 17 | @@ -5,3 +5,14 @@ |
18 | /usr/lib32 /usr/lib | 18 | /usr/lib32 /usr/lib |
19 | /usr/lib64 /usr/lib | 19 | /usr/lib64 /usr/lib |
20 | /var/run/lock /var/lock | 20 | /var/run/lock /var/lock |
@@ -26,6 +26,9 @@ index 32b87a4..ebba73d 100644 | |||
26 | +/var/volatile/lock /var/lock | 26 | +/var/volatile/lock /var/lock |
27 | +/var/volatile/run/lock /var/lock | 27 | +/var/volatile/run/lock /var/lock |
28 | +/www /var/www | 28 | +/www /var/www |
29 | +/usr/lib/busybox/bin /bin | ||
30 | +/usr/lib/busybox/sbin /sbin | ||
31 | +/usr/lib/busybox/usr /usr | ||
29 | -- | 32 | -- |
30 | 1.7.5.4 | 33 | 1.7.5.4 |
31 | 34 | ||
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc index d081e33..6871813 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc | |||
@@ -1,3 +1,5 @@ | |||
1 | PRINC = "1" | ||
2 | |||
1 | SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;" | 3 | SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;" |
2 | SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085" | 4 | SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085" |
3 | SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4" | 5 | SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4" |