From patchwork Fri Jul 31 10:10:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Tenart X-Patchwork-Id: 1339367 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BJ37Z1PQ8z9sRN for ; Fri, 31 Jul 2020 20:15:22 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id A6B15885DD; Fri, 31 Jul 2020 10:15:19 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CY9NoWVj+8GI; Fri, 31 Jul 2020 10:15:18 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id 86EBF882CA; Fri, 31 Jul 2020 10:15:18 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 17F621BF2A4 for ; Fri, 31 Jul 2020 10:15:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 151C1865DB for ; Fri, 31 Jul 2020 10:15:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSobVtR5paGH for ; Fri, 31 Jul 2020 10:15:10 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 1508F86362 for ; Fri, 31 Jul 2020 10:15:09 +0000 (UTC) X-Originating-IP: 90.76.143.236 Received: from localhost (lfbn-tou-1-1075-236.w90-76.abo.wanadoo.fr [90.76.143.236]) (Authenticated sender: antoine.tenart@bootlin.com) by relay7-d.mail.gandi.net (Postfix) with ESMTPSA id 7514E20006; Fri, 31 Jul 2020 10:15:07 +0000 (UTC) From: Antoine Tenart To: buildroot@buildroot.org Date: Fri, 31 Jul 2020 12:10:29 +0200 Message-Id: <20200731101040.1723047-5-antoine.tenart@bootlin.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200731101040.1723047-1-antoine.tenart@bootlin.com> References: <20200731101040.1723047-1-antoine.tenart@bootlin.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 04/15] package/refpolicy: smaller monolithic policy X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: matthew.weber@rockwellcollins.com, clshotwe@rockwellcollins.com, thomas.petazzoni@bootlin.com, daniel.riechers@rockwellcollins.com, aduskett@gmail.com Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" The refpolicy is configured to use a monolithic build, compiling all the available modules (whether they're 'base' or 'modules' ones) in the binary policy. The result is a quite big SELinux policy, with a lot more rules than what would be needed in a Buildroot image. Refactor the refpolicy build configuration to enable less modules by default. To achieve this, all the modules marked as being part of the 'base' policy are kept but all the modules marked as being only 'modules' are disabled. Then a static list of modules (in addition to the already selected 'base' ones) are enabled. The result is a much smaller refpolicy: my tests showed a reduction of the binary policy from 2.4M to 249K (~90% smaller). This minimal set of SELinux modules should allow to boot a system in enforcing mode in the future. It currently does not work, not because extra modules are needed, but because of required changes within the selected modules. This patch would break backward compatibility as the refpolicy will no longer have all the modules provided by the project, but only those selected. This should not be an issue as this configuration was not suitable directly for a real system. Modifications had to be done. If we still find out later that this is an issue for someone, we'll have the ability to mimic what was done previously thanks to other mechanisms (such as providing the upstream policy as a "custom" policy location). Signed-off-by: Antoine Tenart --- package/refpolicy/refpolicy.mk | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index 9346649b2c57..0ce83d2cbdcb 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -29,6 +29,33 @@ REFPOLICY_POLICY_VERSION = $(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION) REFPOLICY_POLICY_STATE = \ $(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE)) +REFPOLICY_MODULES = \ + application \ + authlogin \ + getty \ + init \ + libraries \ + locallogin \ + logging \ + miscfiles \ + modutils \ + mount \ + selinuxutil \ + storage \ + sysadm \ + sysnetwork \ + unconfined \ + userdomain + +# In the context of a monolithic policy enabling a piece of the policy as +# 'base' or 'module' is equivalent, so we enable them as 'base'. +define REFPOLICY_CONFIGURE_MODULES + $(SED) "s/ = module/ = no/g" $(@D)/policy/modules.conf + $(foreach m,$(REFPOLICY_MODULES), + $(SED) "/^$(m) =/c\$(m) = base" $(@D)/policy/modules.conf + ) +endef + ifeq ($(BR2_INIT_SYSTEMD),y) define REFPOLICY_CONFIGURE_SYSTEMD $(SED) "/SYSTEMD/c\SYSTEMD = y" $(@D)/build.conf @@ -45,6 +72,7 @@ endef define REFPOLICY_BUILD_CMDS $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) bare conf + $(REFPOLICY_CONFIGURE_MODULES) endef define REFPOLICY_INSTALL_STAGING_CMDS