On Fri, 10 Aug 2007 08:34:21 +0200 Natanael Copa wrote: > On Wed, 2007-08-08 at 13:38 +0900, [EMAIL PROTECTED] wrote: > > Hello. > > > > We would like to suggest Secure OSes(such as SELinux/AppArmor/LIDS) domain > > assignment support for BusyBox. This work is done by Hiroshi Shinji. > > ... > > > For example, in the case of SELinux, /sbin/syslogd is assigned syslogd_t > > domain at the execution time of /sbin/syslogd. syslogd_t are allowed to > > read syslogd.conf, write log files, etc. > > > > However, current BusyBox does not suitable for assigning domains. > > Because BusyBox is a single file that is called through a lot of links. > > > > Secure OS treats "/sbin/syslogd" and "/sbin/httpd" as "/bin/busybox". > > So, /sbin/syslogd and /sbin/httpd run as the same domain. > > This is a problem for start-stop-daemon too. IT would solve issues with > SUID bit programs too (like passwd, su ...) > > > 2. Our solution > > Shinji came up with one idea. He thought "script wrappper" like below. > > while I agree it would be nice to have every applet as a separate > executable, I'm not sure I like the idea of executing shell for every > command. It *feels* hackish. Yes, as you say, it may be tricky, but there are other tricky things like treatment of global value in busybox I think.
> > Assigning domain is critical to secure OSes. > > We want way to assign to domains to busybox applets. > > Please review this patch and consider merging. > > The patch is the shortest way to accomplish this. I would believe the > "correct" way would be to compile every applet as a standalone, linked > to a libbb.so. I think its even mentioned in the TODO. Standalone executable is bigger, even simple "hello world" executable consumes 2940 byte. This wrapper uses only 15 byte for one applet. > Natanael Copa Regards, -- Yuichi Nakamura Hitachi Software Engineering Co., Ltd. Japan SELinux Users Group(JSELUG): http://www.selinux.gr.jp/ SELinux Policy Editor: http://seedit.sourceforge.net/ _______________________________________________ busybox mailing list [email protected] http://busybox.net/cgi-bin/mailman/listinfo/busybox
