From 521ca9c9cf370840e9f8c808a7955aa5da7c356e Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 23 Sep 2013 21:18:05 +0800 Subject: busybox: alternatives link to sh wrappers for commands While directly using busybox[.[no]suid] as the alternatives' targets, commands could not get correct security labels. ~# ls -l /sbin/getty ..... /sbin/getty -> /bin/busybox.nosuid ~# ls -Z /bin/busybox.nosuid system_u:object_r:bin_t:s0 /bin/busybox.nosuid Add sh wrappers for commands so selinux could work fine. ~# ls -l /sbin/getty ..... /sbin/getty -> /usr/lib/busybox/sbin/getty ~# ls -Z /usr/lib/busybox/sbin/getty system_u:object_r:getty_exec_t:s0 /usr/lib/busybox/sbin/getty ~# cat /usr/lib/busybox/sbin/getty #!/bin/busybox.nosuid Signed-off-by: Xin Ouyang Signed-off-by: Joe MacDonald --- recipes-core/busybox/busybox_1.21.1.bbappend | 87 ++++++++++++++++++++++ .../refpolicy-2.20130424/poky-fc-subs_dist.patch | 7 +- .../refpolicy/refpolicy_2.20130424.inc | 2 + 3 files changed, 94 insertions(+), 2 deletions(-) create mode 100644 recipes-core/busybox/busybox_1.21.1.bbappend diff --git a/recipes-core/busybox/busybox_1.21.1.bbappend b/recipes-core/busybox/busybox_1.21.1.bbappend new file mode 100644 index 0000000..b4935b2 --- /dev/null +++ b/recipes-core/busybox/busybox_1.21.1.bbappend @@ -0,0 +1,87 @@ +PR .= ".1" + +FILES_${PN} += "${libdir}/${PN}" + +# We should use sh wrappers instead of links so the commands could get correct +# security labels +python create_sh_wrapper_reset_alternative_vars () { + # We need to load the full set of busybox provides from the /etc/busybox.links + # Use this to see the update-alternatives with the right information + + dvar = d.getVar('D', True) + pn = d.getVar('PN', True) + + def create_sh_alternative_vars(links, target, mode): + import shutil + # Create sh wrapper template + fwp = open("busybox_wrapper", 'w') + fwp.write("#!%s" % (target)) + os.fchmod(fwp.fileno(), mode) + fwp.close() + # Install the sh wrappers and alternatives reset to link to them + wpdir = os.path.join(d.getVar('libdir', True), pn) + wpdir_dest = '%s%s' % (dvar, wpdir) + if not os.path.exists(wpdir_dest): + os.makedirs(wpdir_dest) + f = open('%s%s' % (dvar, links), 'r') + for alt_link_name in f: + alt_link_name = alt_link_name.strip() + alt_name = os.path.basename(alt_link_name) + # Copy script wrapper to wp_path + alt_wppath = '%s%s' % (wpdir, alt_link_name) + alt_wppath_dest = '%s%s' % (wpdir_dest, alt_link_name) + alt_wpdir_dest = os.path.dirname(alt_wppath_dest) + if not os.path.exists(alt_wpdir_dest): + os.makedirs(alt_wpdir_dest) + shutil.copy2("busybox_wrapper", alt_wppath_dest) + # Re-set alternatives + # Match coreutils + if alt_name == '[': + alt_name = 'lbracket' + d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name) + d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name) + if os.path.exists(alt_wppath_dest): + d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath) + f.close() + + os.remove("busybox_wrapper") + return + + if os.path.exists('%s/etc/busybox.links' % (dvar)): + create_sh_alternative_vars("/etc/busybox.links", "/bin/busybox", 0o0755) + else: + create_sh_alternative_vars("/etc/busybox.links.nosuid", "/bin/busybox.nosuid", 0o0755) + create_sh_alternative_vars("/etc/busybox.links.suid", "/bin/busybox.suid", 0o4755) +} + +# Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in +# do_package_prepend() section of busybox_*.bb. +PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars " + +# Use sh wrappers instead of links +pkg_postinst_${PN} () { + # This part of code is dedicated to the on target upgrade problem. + # It's known that if we don't make appropriate symlinks before update-alternatives calls, + # there will be errors indicating missing commands such as 'sed'. + # These symlinks will later be updated by update-alternatives calls. + test -n 2 > /dev/null || alias test='busybox test' + if test "x$D" = "x"; then + # Remove busybox.nosuid if it's a symlink, because this situation indicates + # that we're installing or upgrading to a one-binary busybox. + if test -h /bin/busybox.nosuid; then + rm -f /bin/busybox.nosuid + fi + for suffix in "" ".nosuid" ".suid"; do + if test -e /etc/busybox.links$suffix; then + while read link; do + if test ! -e "$link"; then + # we can use busybox here because even if we are using splitted busybox + # we've made a symlink from /bin/busybox to /bin/busybox.nosuid. + busybox echo "#!/bin/busybox$suffix" > $link + fi + done < /etc/busybox.links$suffix + fi + done + fi +} + diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch index 2eaecdf..4058b18 100644 --- a/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-fc-subs_dist.patch @@ -8,13 +8,13 @@ Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang --- config/file_contexts.subs_dist | 8 ++++++++ - 1 files changed, 8 insertions(+), 0 deletions(-) + 1 files changed, 11 insertions(+), 0 deletions(-) diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist index 32b87a4..ebba73d 100644 --- a/config/file_contexts.subs_dist +++ b/config/file_contexts.subs_dist -@@ -5,3 +5,11 @@ +@@ -5,3 +5,14 @@ /usr/lib32 /usr/lib /usr/lib64 /usr/lib /var/run/lock /var/lock @@ -26,6 +26,9 @@ index 32b87a4..ebba73d 100644 +/var/volatile/lock /var/lock +/var/volatile/run/lock /var/lock +/www /var/www ++/usr/lib/busybox/bin /bin ++/usr/lib/busybox/sbin /sbin ++/usr/lib/busybox/usr /usr -- 1.7.5.4 diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc index d081e33..6871813 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc @@ -1,3 +1,5 @@ +PRINC = "1" + SRC_URI = "http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2;" SRC_URI[md5sum] = "6a5c975258cc8eb92c122f11b11a5085" SRC_URI[sha256sum] = "6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4" -- cgit v1.2.3-54-g00ecf