Re: Removing writable permissions in squashfs images vs overlayfs
On 10/23/22 23:35, Phillip Lougher wrote: On Thu, Oct 20, 2022 at 6:01 PM Peter Naulls wrote: What you probably want is the following % mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w)" It is, fantastic, thank you. I added to include/image.mk: --- a/include/image.mk +++ b/include/image.mk @@ -76,6 +76,7 @@ SQUASHFS_BLOCKSIZE := $(CONFIG_TARGET_SQUASHFS_BLOCK_SIZE)k SQUASHFSOPT := -b $(SQUASHFS_BLOCKSIZE) SQUASHFSOPT += -p '/dev d 755 0 0' -p '/dev/console c 600 0 0 5 1' SQUASHFSOPT += $(if $(CONFIG_SELINUX),-xattrs,-no-xattrs) +SQUASHFSOPT += -action 'chmod(ugo-w)@perm(/ugo+w)' SQUASHFSCOMP := gzip LZMA_XZ_OPTIONS := -Xpreset 9 -Xe -Xlc 0 -Xlp 2 -Xpb 2 ifeq ($(CONFIG_SQUASHFS_XZ),y) It sure seems like this could easily be an config option in OpenWrt, either allowing specific commands here, or some easy presets, or perhaps platform overrides. Again, I know this is theater and overlayfs rules here, but it's still important for my use. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Removing writable permissions in squashfs images vs overlayfs
On Thu, Oct 20, 2022 at 6:01 PM Peter Naulls wrote: > > > Yes, I know. Bear with me. Laugh if you must. > > # ls -l /rom/ > ... > drwxr-xr-x4 root root98 Oct 20 13:53 www > > I'd like to remove the writable bits from the squashfs image - /www is > particular concern because of security paranoia. > > Now I realize that: > > 1. This is contrary to the design and operation of overlayfs - it doesn't > matter what you set the permissions to, overlayfs will make a copy and > let you "write" anyway (correct me if I'm wrong here) and besides there's only > root. > > 2. This is 100% security theater, but the optics have become important here. > > I don't see that mksquashfs has any options for removing these attributes. > It is possible to set the permissions on files that end up in the rootfs > before the image generation, but then you tend to run into permissions > problems on the host build system when you do it again and it needs to clean > things out. On the contrary, this is fully supported by Mksquashfs using actions. Actions are modelled on the find command, and allow one or more tests to be performed on a file, and if the tests match, execute an action. What you probably want is the following % mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w)" "perm(/ugo+w)" is a test that matches on any file that has a writable permission (either user, group or other). "chmod(ugo-w)" is an action that removes the writable permission for user, group and other. So if any file has a writable permission it is removed before generating the Squashfs filesystem. Worked example phillip@phoenix:/tmp$ ls -la test total 12 drwxr-xr-x 3 phillip users 4096 Oct 24 03:37 . drwxrwxrwt 11 rootroot 4096 Oct 24 04:17 .. drwxrwxrwx 2 phillip users 4096 Oct 24 03:32 example_dir -rw-rw-rw- 1 phillip users0 Oct 24 03:32 example_file -r--r--r-- 1 phillip users0 Oct 24 03:37 not_writable phillip@phoenix:/tmp$ mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w)" phillip@phoenix:/tmp$ unsquashfs -lls test.sqsh dr-xr-xr-x phillip/users74 2022-10-24 03:37 squashfs-root dr-xr-xr-x phillip/users 3 2022-10-24 03:32 squashfs-root/example_dir -r--r--r-- phillip/users 0 2022-10-24 03:32 squashfs-root/example_file -r--r--r-- phillip/users 0 2022-10-24 03:37 squashfs-root/not_writable If you only want the writable permission removed from directories, you can test the file type in addition to the writable permissions, e.g. % mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w) && type(d)" -quiet -no-progress Worked example phillip@phoenix:/tmp$ ls -la test total 12 drwxr-xr-x 3 phillip users 4096 Oct 24 03:37 . drwxrwxrwt 11 rootroot 4096 Oct 24 04:22 .. drwxrwxrwx 2 phillip users 4096 Oct 24 03:32 example_dir -rw-rw-rw- 1 phillip users0 Oct 24 03:32 example_file -r--r--r-- 1 phillip users0 Oct 24 03:37 not_writable phillip@phoenix:/tmp$ mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w) && type(d)" -quiet -no-progress phillip@phoenix:/tmp$ unsquashfs -lls test.sqsh dr-xr-xr-x phillip/users74 2022-10-24 03:37 squashfs-root dr-xr-xr-x phillip/users 3 2022-10-24 03:32 squashfs-root/example_dir -rw-rw-rw- phillip/users 0 2022-10-24 03:32 squashfs-root/example_file -r--r--r-- phillip/users 0 2022-10-24 03:37 squashfs-root/not_writable More information on Mksquashfs actions is here https://github.com/plougher/squashfs-tools/blob/master/ACTIONS-README Please ask if you want more information. Phillip --- Squashfs author and maintainer. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
