[patch][BusyBox] Domain assignment support for SELinux/AppArmor/LIDS
Natanael Copa
natanael.copa at gmail.com
Thu Aug 9 23:34:21 PDT 2007
On Wed, 2007-08-08 at 13:38 +0900, himainu-ynakam at miomio.jp wrote:
> Hello.
>
> We would like to suggest Secure OSes(such as SELinux/AppArmor/LIDS) domain
> assignment support for BusyBox. This work is done by Hiroshi Shinji.
...
> For example, in the case of SELinux, /sbin/syslogd is assigned syslogd_t
> domain at the execution time of /sbin/syslogd. syslogd_t are allowed to
> read syslogd.conf, write log files, etc.
>
> However, current BusyBox does not suitable for assigning domains.
> Because BusyBox is a single file that is called through a lot of links.
>
> Secure OS treats "/sbin/syslogd" and "/sbin/httpd" as "/bin/busybox".
> So, /sbin/syslogd and /sbin/httpd run as the same domain.
This is a problem for start-stop-daemon too. IT would solve issues with
SUID bit programs too (like passwd, su ...)
> 2. Our solution
> Shinji came up with one idea. He thought "script wrappper" like below.
while I agree it would be nice to have every applet as a separate
executable, I'm not sure I like the idea of executing shell for every
command. It *feels* hackish.
> Assigning domain is critical to secure OSes.
> We want way to assign to domains to busybox applets.
> Please review this patch and consider merging.
The patch is the shortest way to accomplish this. I would believe the
"correct" way would be to compile every applet as a standalone, linked
to a libbb.so. I think its even mentioned in the TODO.
Natanael Copa
More information about the busybox
mailing list