This commit adds a patch to procd to support loading the SELinux policy early at boot time, and adjusts the procd package to use this SELinux support when libselinux is enabled.
The procd patch has been submitted separately [1]: obviously the intent is to have it merged in the procd Git repository rather than have it in OpenWrt itself. [1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/020070.html Signed-off-by: Thomas Petazzoni <thomas.petazz...@bootlin.com> --- package/system/procd/Makefile | 5 +- ...inimal-SELinux-policy-loading-suppor.patch | 110 ++++++++++++++++++ 2 files changed, 113 insertions(+), 2 deletions(-) create mode 100644 package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile index c4b86ba746..53d9e1120f 100644 --- a/package/system/procd/Makefile +++ b/package/system/procd/Makefile @@ -43,7 +43,7 @@ TARGET_LDFLAGS += -flto define Package/procd SECTION:=base CATEGORY:=Base system - DEPENDS:=+ubusd +ubus +libjson-script +ubox +USE_GLIBC:librt +libubox +libubus +libblobmsg-json +libjson-c + DEPENDS:=+ubusd +ubus +libjson-script +ubox +USE_GLIBC:librt +libubox +libubus +libblobmsg-json +libjson-c +PACKAGE_libselinux:libselinux TITLE:=OpenWrt system process manager USERID:=:dialout=20 :audio=29 endef @@ -92,7 +92,8 @@ ifdef CONFIG_PACKAGE_procd-ujail endif SECCOMP=$(if $(CONFIG_PACKAGE_procd-seccomp),1,0) -CMAKE_OPTIONS += -DSECCOMP_SUPPORT=$(SECCOMP) -DUTRACE_SUPPORT=$(SECCOMP) +SELINUX=$(if $(CONFIG_PACKAGE_libselinux),1,0) +CMAKE_OPTIONS += -DSECCOMP_SUPPORT=$(SECCOMP) -DUTRACE_SUPPORT=$(SECCOMP) -DSELINUX=$(SELINUX) define Package/procd/install $(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions diff --git a/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch b/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch new file mode 100644 index 0000000000..cfab059b40 --- /dev/null +++ b/package/system/procd/patches/0001-initd-init-add-minimal-SELinux-policy-loading-suppor.patch @@ -0,0 +1,110 @@ +From fe74ad8b11977d0ced5c44f5e389c50ee70bc008 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni <thomas.petazz...@bootlin.com> +Date: Thu, 23 May 2019 13:57:30 +0200 +Subject: [PATCH] initd/init: add minimal SELinux policy loading support + +In order to support SELinux in OpenWRT, this commit introduces minimal +support for loading the SELinux policy in the init code. The logic is +very much inspired from what Busybox is doing: call +selinux_init_load_policy() from libselinux, and then re-execute init +so that it runs with the SELinux policy in place and enforced. + +Signed-off-by: Thomas Petazzoni <thomas.petazz...@bootlin.com> +--- + CMakeLists.txt | 9 ++++++++- + initd/init.c | 38 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 46 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 4b3eebd..865e43c 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -40,6 +40,12 @@ IF(ZRAM_TMPFS) + SET(SOURCES_ZRAM initd/zram.c) + ENDIF() + ++IF(SELINUX) ++ include(FindPkgConfig) ++ pkg_search_module(SELINUX REQUIRED libselinux) ++ add_compile_definitions(WITH_SELINUX) ++ENDIF() ++ + add_subdirectory(upgraded) + + ADD_EXECUTABLE(procd ${SOURCES}) +@@ -56,7 +62,8 @@ ADD_DEFINITIONS(-DDISABLE_INIT) + ELSE() + ADD_EXECUTABLE(init initd/init.c initd/early.c initd/preinit.c initd/mkdev.c sysupgrade.c watchdog.c + utils/utils.c ${SOURCES_ZRAM}) +-TARGET_LINK_LIBRARIES(init ${LIBS}) ++TARGET_INCLUDE_DIRECTORIES(init PUBLIC ${SELINUX_INCLUDE_DIRS}) ++TARGET_LINK_LIBRARIES(init ${LIBS} ${SELINUX_LIBRARIES}) + INSTALL(TARGETS init + RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR} + ) +diff --git a/initd/init.c b/initd/init.c +index 29eee50..561970c 100644 +--- a/initd/init.c ++++ b/initd/init.c +@@ -29,6 +29,10 @@ + #include <unistd.h> + #include <stdio.h> + ++#if defined(WITH_SELINUX) ++#include <selinux/selinux.h> ++#endif ++ + #include "../utils/utils.h" + #include "init.h" + #include "../watchdog.h" +@@ -67,6 +71,38 @@ cmdline(void) + } + } + ++#if defined(WITH_SELINUX) ++static int ++selinux(char **argv) ++{ ++ int enforce = 0; ++ int ret; ++ ++ /* SELinux already initialized */ ++ if (getenv("SELINUX_INIT")) ++ return 0; ++ ++ putenv("SELINUX_INIT=1"); ++ ++ ret = selinux_init_load_policy(&enforce); ++ if (ret == 0) ++ execv(argv[0], argv); ++ ++ if (enforce > 0) { ++ fprintf(stderr, "Cannot load SELinux policy, but system in enforcing mode. Halting.\n"); ++ return 1; ++ } ++ ++ return 0; ++} ++#else ++static int ++selinux(char **argv) ++{ ++ return 0; ++} ++#endif ++ + int + main(int argc, char **argv) + { +@@ -79,6 +115,8 @@ main(int argc, char **argv) + sigaction(SIGUSR2, &sa_shutdown, NULL); + sigaction(SIGPWR, &sa_shutdown, NULL); + ++ if (selinux(argv)) ++ exit(-1); + early(); + cmdline(); + watchdog_init(1); +-- +2.21.0 + -- 2.23.0 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
