• JapanJamboree16SeBusybox

[original file is 20070831CELF_Busybox.pdf]
[translated by ikoma]

CELF Technical Jamboree #16
Aug. 31, 2007

Announcement: BusyBox for SELinux

• Yuichi Nakamura, Hitachi Software Engineering
• Kohei Kaigai, Japan SELinux Users Group
• Hiroshi Shinji, Japan SELinux Users Group

* seBusyBox Project

• Contributors

  • Volunteers from Japan SELinux Users Group (www.selinux.gr.jp)

• How to proceed
  • Listed up work items on wiki, and shared

    • http://www.kaigai.gr.jp/index.php?busybox

  • Discussion the on internal mailing list
• The results contributed to the community

  • Submit and submit to BusyBox community

  • Language handicap was overcome by others help

* Work items done

• Porting of SELinux commands

  • Necessities have been merged into 1.7.0

• SELinux/LIDS/AppArmor support

  • Domain assignment support for Secure OSes

  • Merged into svn

* SELinux commands

• Alread ported

  • SELinux commands

    • chcon runcon getenforce getsebool load_policy
    • matchpathcon selinuxenabled setenforce restorecon setfiles

  • SELinux option

    • cp, ls, mkdir, mv, id, install, stat, find
• Usage
  • From menuconfig,

    • 1) General Configuration->Support NSA Security

      • set "Enhanced Linux"

    • 2) "SELinux Utilities" appears on top

* Domain Assignment Support for Secure OSes (1)

• In secure OSes(SELinux/AppArmor/LIDS), domain (privilege) could not be assigned to applets

• The Reason:
  • Simlilar to SUID

  • These secure OSes identify an executable file by i-node number in file entity and assign a domain

  • An applet is installed by symoblic link or hard link

  • All applets in BusyBox are regarded as "/bin/busybox" from the view point of secure OS, so treated as a domain

* Domain Assignment Support for Secure OSes (1)

• Measure

  • Implement BusyBox applet as follows

    • Example: contents of /sbin/insmod
      • #!/bin/busybox
      • Use busybox as interpreter!!
        • Only 15byte overehead
  • Now each applet has unique i-node number, thus secure OS assign a domain

to each applet!

• Submitted and merged

  • http://www.busybox.net/lists/busybox/2007-August/028551.html

• Now domains are asignable in SELinux/AppArmor/LIDS!

• Usage

  • From BusyBox Options->Installation Options->Applets links, pick "as script wrappers"

* Remarks after Working with the BusyBox Community

• It's not difficult to submit a new patch once you experienced
• A patch is likely to be ignored
  • Maintainers are working in FIFO sytle?
  • Be persistent and resubmit even if ignored
• It is important to make review cycle shorter
  • It is important to follow the coding rules which looks insignificant
    • e.g. remove redundant spaces
• Persistent submitters would gain trust from maintainers
  • Sometimes the maintainer corrected minor glitch and the patch was smoothly merged

• Summary site on how to live with the BusyBox community

  • http://www.kaigai.gr.jp/index.php?busybox_upstream

* Help us!

• Try the new BusyBox

  • Memory consumption is also reduced

• Wanted: Bleeding edge users of BusyBox for SELinux

  • To be honest, not fully tested
• For bug reports, comments, wishes, or joining requests etc.:

  • Contact busybox@kaigai.gr.jp