Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

init: optionally load the system SELinux policy #400

Open
wants to merge 69 commits into
base: master
Choose a base branch
from
Open

init: optionally load the system SELinux policy #400

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
69 commits
Select commit Hold shift + click to select a range
69d80f4
init: optionally load the system SELinux policy
WavyEbuilder Oct 15, 2024
0a5f876
mark selinux_transition as static
WavyEbuilder Oct 19, 2024
c465b81
BUILD_MESON: add selinux option documentation
WavyEbuilder Oct 19, 2024
6063686
init: selinux: add --disable-selinux
WavyEbuilder Oct 19, 2024
57b94a2
doc: manpages: mention --disable-selinux flag
WavyEbuilder Oct 19, 2024
6910b6d
init: selinux: fix header guards
WavyEbuilder Oct 19, 2024
67c3d8b
build: docs: add SUPPORT_SELINUX info
WavyEbuilder Oct 23, 2024
55b82d8
init: rename --disable-selinux option to --disable-selinux-policy
WavyEbuilder Oct 23, 2024
15e2f6e
selinux: add explanatory comments for selinux related functions
WavyEbuilder Oct 26, 2024
ca63b57
configure: update help text for selinux options
WavyEbuilder Oct 26, 2024
159ffac
printVersion: add selinux information to output
WavyEbuilder Oct 26, 2024
0e959a7
selinux: update comments
WavyEbuilder Oct 27, 2024
a40f43a
meson.build: clean up selinux related options
WavyEbuilder Oct 27, 2024
7d88201
meson.build: rename libselinux dependency to libselinux_dep
WavyEbuilder Oct 27, 2024
157a78a
meson: refractor mconfig logic for selinux
WavyEbuilder Oct 27, 2024
01640d8
configure: update --enable-selinux help text
WavyEbuilder Oct 31, 2024
a8ecd7d
doc: manpages: update --disable-selinux flag to --disable-selinux-policy
WavyEbuilder Oct 31, 2024
10c8198
dinit.cc: fix line wrapping for comments per CODE-STYLE
WavyEbuilder Oct 31, 2024
e4b5b3e
dinit.cc: selinux_transition: clarify comment regarding the log
WavyEbuilder Oct 31, 2024
02b93a8
selinux_transition: clean up comment per CODE-STYLE
WavyEbuilder Nov 2, 2024
66be73d
selinux_transition: log error and return early for permissive
WavyEbuilder Nov 2, 2024
e06e054
selinux_transition: check that getcon_raw(3) doesn't return nullptr
WavyEbuilder Nov 8, 2024
4bf712a
selinux_transition: clarify kernel context in comment
WavyEbuilder Nov 8, 2024
eadc90c
selinux_transition: be more specific in comment
WavyEbuilder Nov 8, 2024
86a9f0c
selinux_transition: fix line wrapping for comments
WavyEbuilder Nov 8, 2024
8737eef
selinux_transition: correct check for getcon_raw(3) return value
WavyEbuilder Nov 11, 2024
f093426
selinux_transition: don't exit if we are unable to transition
WavyEbuilder Nov 11, 2024
e40b38e
selinux_transition: always error exit if we fail to load the policy
WavyEbuilder Nov 11, 2024
a6af309
selinux_transition: update comments to reflect the current control flow
WavyEbuilder Nov 11, 2024
25eb167
selinux_transition: fix grammar in comment
WavyEbuilder Nov 11, 2024
d90b013
selinux_transition: improve wording for comment
WavyEbuilder Nov 11, 2024
1f2f7cf
selinux_transition: document the mounting of /sys
WavyEbuilder Nov 11, 2024
ab15586
selinux_transition: reformat if statement per CODE-STYLE
WavyEbuilder Nov 11, 2024
90b789b
selinux_transition: clarify policy choice for inital domain in comment
WavyEbuilder Nov 11, 2024
c0cef53
selinux_transition: reword comment about pitfalls of getcon_raw(3)
WavyEbuilder Dec 18, 2024
2a6af9d
selinux_transition: cleanroom rewrite of getcon_raw(3) comment
WavyEbuilder Dec 18, 2024
ef2c41f
selinux_transition: use correct variable naming in comments
WavyEbuilder Dec 18, 2024
8f1ac95
selinux_transition: add attribution to getcon_raw(3) comment
WavyEbuilder Dec 18, 2024
64ec986
selinux: new documentation
WavyEbuilder Dec 18, 2024
266cc8c
selinux: correct flowchart in documentation
WavyEbuilder Dec 18, 2024
cec70a6
selinux_transition: fix formatting by placing opening { on a new line
WavyEbuilder Dec 18, 2024
4774421
selinux: document flag to disable policy loading
WavyEbuilder Dec 18, 2024
38fdef4
selinux: document mounting of /sys
WavyEbuilder Dec 18, 2024
b7ef63a
Merge branch 'master' into master
WavyEbuilder Dec 18, 2024
7d5ac36
meson.build: fix dependencies for libselinux_dep
WavyEbuilder Dec 18, 2024
c502a07
dinit.cc: add missing #endif directive for SUPPORT_SELINUX #ifdef
WavyEbuilder Dec 18, 2024
6f3f5cd
meson.build: remove old cgroup-related changes
WavyEbuilder Dec 18, 2024
4a5d7c1
meson.build: force SUPPORT_SELINUX mconfig variable for support-selinux
WavyEbuilder Dec 18, 2024
350fed8
configure: remove deprecated arguments
WavyEbuilder Dec 18, 2024
376c1cc
configure: fix to align with current upstream/master
WavyEbuilder Dec 18, 2024
5d143f4
feature_count: bump on SUPPORT_SELINUX
WavyEbuilder Dec 18, 2024
cc8bcb7
selinux_transition: add base for mounting /proc
WavyEbuilder Dec 18, 2024
653ecf4
selinux_transition: don't use type inference for errno_str
WavyEbuilder Dec 18, 2024
46ac998
selinux_transition: remove TODO for relabeling /proc
WavyEbuilder Jan 10, 2025
1a79e2f
doc: add SELinux related support to manpages
WavyEbuilder Jan 10, 2025
46331bf
doc: update SELinux flowchart to include mounting of /proc
WavyEbuilder Jan 10, 2025
26c1855
configure: sync to latest in davmac314/dinit
WavyEbuilder Jan 10, 2025
c2cf2f9
dinit: fix formatting in manpages
WavyEbuilder Jan 17, 2025
f360aff
manpages: fix typo
WavyEbuilder Jan 17, 2025
9260c20
docs: SELinux: refer to Dinit the project with a capital D
WavyEbuilder Jan 31, 2025
0f114a6
docs: SELinux: link to SELinux notebook
WavyEbuilder Jan 31, 2025
c5b6aae
docs: SELinux: link to build documentation
WavyEbuilder Jan 31, 2025
6be8175
selinux_transition: update comment wording to note relevant manpage
WavyEbuilder Jan 31, 2025
a3062d7
selinux_transition: mention SELinux in log output
WavyEbuilder Jan 31, 2025
3b674b3
selinux_transition: fix formatting
WavyEbuilder Jan 31, 2025
7e52501
selinux_transition: only bail early if enforcing mode requested
WavyEbuilder Jan 31, 2025
ed2a166
selinux_transition: stop attempting to create /proc if it doesn't exist
WavyEbuilder Feb 1, 2025
7a843a0
selinux_transition: clarify mounting behaviour in comment
WavyEbuilder Feb 1, 2025
622790e
[EXPERIMENTAL] dinit: use the log for selinux error messages
WavyEbuilder Feb 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CONTRIBUTORS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,4 @@ The following people (in alphabetical order) have contributed:
* Oliver Amann - Code, testing, documentation
* Locria Cyber - Code, documentation
* q66 - Code, testing, documentation.
* Rahul Sandhu - Code
3 changes: 2 additions & 1 deletion build/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ includes/mconfig.h: ../mconfig tools/mconfig-gen.cc version.conf
DEFAULT_STOP_TIMEOUT=$(DEFAULT_STOP_TIMEOUT) \
$(if $(SUPPORT_CGROUPS),SUPPORT_CGROUPS=$(SUPPORT_CGROUPS),) \
$(if $(USE_UTMPX),USE_UTMPX=$(USE_UTMPX),) \
$(if $(USE_INITGROUPS),USE_INITGROUPS=$(USE_INITGROUPS),) > includes/mconfig.h
$(if $(USE_INITGROUPS),USE_INITGROUPS=$(USE_INITGROUPS),) \
$(if $(SUPPORT_SELINUX),SUPPORT_SELINUX=$(SUPPORT_SELINUX),) > includes/mconfig.h

clean:
rm -f includes/mconfig.h
Expand Down
1 change: 1 addition & 0 deletions build/mconfig.mesontemplate
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
#mesondefine USE_UTMPX
#mesondefine USE_INITGROUPS
#mesondefine SUPPORT_CGROUPS
#mesondefine SUPPORT_SELINUX
#mesondefine DEFAULT_AUTO_RESTART
#mesondefine DEFAULT_START_TIMEOUT
#mesondefine DEFAULT_STOP_TIMEOUT
Expand Down
3 changes: 3 additions & 0 deletions build/tools/mconfig-gen.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,9 @@ int main(int argc, char **argv)
if (vars.find("DEFAULT_AUTO_RESTART") != vars.end()) {
cout << "#define DEFAULT_AUTO_RESTART " << vars["DEFAULT_AUTO_RESTART"] << "\n";
}
if (vars.find("SUPPORT_SELINUX") != vars.end()) {
cout << "#define SUPPORT_SELINUX " << vars["SUPPORT_SELINUX"] << "\n";
}

cout << "\n// Constants\n";
cout << "\nconstexpr static char DINIT_VERSION[] = " << stringify(vars["VERSION"]) << ";\n";
Expand Down
9 changes: 9 additions & 0 deletions configure
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,7 @@ Optional options:
--disable-utmpx Disable manipulating the utmp/utmpx database via the related POSIX functions
--enable-initgroups Enable initialization of supplementary groups for run-as [Enabled]
--disable-initgroups Disable initialization of supplementary groups for run-as
--enable-selinux Enable SELinux support [Enabled only on Linux based systems]
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is claiming that selinux support is enabled by default on Linux based systems, but it doesn't seem to be the case (and it probably shouldn't be) since SUPPORT_SELINUX is defaulted to 0.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm is that from the Enabled only on Linux based systems bit? Not sure how to better phrase that personally.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From ./configure --help:

Usage: ./configure [OPTION]...

Generates build configuration for Dinit.

Defaults for the options are specified in brackets.
...

Also you need to add --disable-selinux option description here, after the --enable-selinux.
And then just use [Disabled] in front of --disable-selinux option description.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, got it. Thanks!

--enable-auto-restart Enable auto-restart for services by default [Deprecated]
--disable-auto-restart Disable auto-restart for services by default [Deprecated]
--default-start-timeout=sec Default start-timeout for services [60]
Expand Down Expand Up @@ -210,6 +211,7 @@ for var in PREFIX \
SUPPORT_CGROUPS \
USE_UTMPX \
USE_INITGROUPS \
SUPPORT_SELINUX \
SYSCONTROLSOCKET \
STRIPOPTS
do
Expand Down Expand Up @@ -243,6 +245,8 @@ for arg in "$@"; do
--disable-utmpx|--enable-utmpx=no) USE_UTMPX=0 ;;
--enable-initgroups|--enable-initgroups=yes) USE_INITGROUPS=1 ;;
--disable-initgroups|--enable-initgroups=no) USE_INITGROUPS=0 ;;
--enable-selinux|--enable-selinux=yes) SUPPORT_SELINUX=1 ;;
--disable-selinux|--enable-selinux=no) SUPPORT_SELINUX=0 ;;
--enable-auto-restart|--enable-auto-restart=yes) DEFAULT_AUTO_RESTART=ALWAYS ;; # Deprecated
--disable-auto-restart|--enable-auto-restart=no) DEFAULT_AUTO_RESTART=NEVER ;; # Deprecated
--enable-strip|--enable-strip=yes) STRIPOPTS="-s" ;;
Expand Down Expand Up @@ -275,6 +279,7 @@ done
: "${DEFAULT_START_TIMEOUT:="60"}"
: "${DEFAULT_STOP_TIMEOUT:="10"}"
: "${USE_INITGROUPS:="1"}"
: "${SUPPORT_SELINUX:="0"}"
if [ "$PLATFORM" = "Linux" ]; then
: "${BUILD_SHUTDOWN:="yes"}"
: "${SUPPORT_CGROUPS:="1"}"
Expand Down Expand Up @@ -380,6 +385,9 @@ fi
if [ "$AUTO_LDFLAGS_BASE" = true ] && [ "$PLATFORM" = FreeBSD ]; then
try_ld_argument LDFLAGS_BASE -lrt
fi
if [ "$AUTO_LDFLAGS_BASE" = true ] && [ "$SUPPORT_SELINUX" = "1" ]; then
try_ld_argument LDFLAGS_BASE -lselinux
fi
if [ "$AUTO_TEST_LDFLAGS_BASE" = true ]; then
TEST_LDFLAGS_BASE="\$(LDFLAGS_BASE)"
established_TEST_LDFLAGS="$LDFLAGS_BASE"
Expand Down Expand Up @@ -467,6 +475,7 @@ STRIPOPTS=$STRIPOPTS
# Feature settings
SUPPORT_CGROUPS=$SUPPORT_CGROUPS
USE_INITGROUPS=$USE_INITGROUPS
SUPPORT_SELINUX=$SUPPORT_SELINUX
# Optional settings
SHUTDOWN_PREFIX=${SHUTDOWN_PREFIX:-}
Expand Down
2 changes: 2 additions & 0 deletions meson.build
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ man_pages = get_option('man-pages')
support_cgroups = get_option('support-cgroups')
use_utmpx = get_option('use-utmpx')
use_initgroups = get_option('use-initgroups')
libselinux = dependency('libselinux', version : '>= 2.1.9', required : get_option('selinux'))
mobin-2008 marked this conversation as resolved.
Show resolved Hide resolved
default_auto_restart = get_option('default-auto-restart')
default_start_timeout = get_option('default-start-timeout').to_string()
default_stop_timeout = get_option('default-stop-timeout').to_string()
Expand Down Expand Up @@ -65,6 +66,7 @@ mconfig_data.set('DEFAULT_AUTO_RESTART', default_auto_restart)
mconfig_data.set('DEFAULT_START_TIMEOUT', default_start_timeout)
mconfig_data.set('DEFAULT_STOP_TIMEOUT', default_stop_timeout)
mconfig_data.set10('USE_INITGROUPS', use_initgroups)
mconfig_data.set10('SUPPORT_SELINUX', libselinux.found())
if support_cgroups.auto() and platform == 'linux' or support_cgroups.enabled()
mconfig_data.set('SUPPORT_CGROUPS', '1')
endif
Expand Down
6 changes: 6 additions & 0 deletions meson_options.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,3 +91,9 @@ option(
value : 'auto',
description : 'Building shutdown/reboot/soft-reboot/halt or not.'
)
option(
'selinux',
type : 'feature',
value : 'auto',
description : 'SELinux support'
)
72 changes: 72 additions & 0 deletions src/dinit.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,12 @@

#include "mconfig.h"

#if SUPPORT_SELINUX
#include <selinux/avc.h>
#include <selinux/label.h>
#include <selinux/selinux.h>
#endif

/*
* When running as the system init process, Dinit processes the following signals:
*
Expand Down Expand Up @@ -453,6 +459,70 @@ static int process_commandline_arg(char **argv, int argc, int &i, options &opts)
return 0;
}

bool selinux_transition(const char *exe) {
#if SUPPORT_SELINUX
using std::cerr;
using std::endl;

davmac314 marked this conversation as resolved.
Show resolved Hide resolved
char *current_context = nullptr;
char *file_context = nullptr;
security_class_t security_class;
char *new_context = nullptr;

if (is_selinux_enabled() == 1) {
return true;
}

int enforce = 0;
if (selinux_init_load_policy(&enforce) != 0) {
if (enforce > 0) {
cerr << "Failed to load SELinux policy." << endl;
return false;
}
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
}

bool ret = true;
if (getcon_raw(&current_context) < 0) {
ret = false;
cerr << "Failed to get current context: " << strerror(errno) << endl;
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
goto cleanup;
}

if (getfilecon_raw(exe, &file_context) < 0) {
ret = false;
cerr << "Failed to get file context for " << exe << ": " << strerror(errno) << endl;
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
goto cleanup;
}

security_class = string_to_security_class("process");
if (security_class == 0) {
ret = false;
cerr << "Failed to get security class for process" << endl;
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
goto cleanup;
}

if (security_compute_create_raw(current_context, file_context, security_class, &new_context) < 0) {
ret = false;
cerr << "Failed to compute create context: " << strerror(errno) << endl;
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
goto cleanup;
}

if (setcon_raw(new_context) < 0) {
ret = false;
cerr << "Failed to set transition context to " << new_context << ": " << strerror(errno) << endl;
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
goto cleanup;
}

cleanup:
if (current_context) freecon(current_context);
if (file_context) freecon(file_context);
if (new_context) freecon(new_context);
return ret;
#else
return true;
#endif
}

// Main entry point
int dinit_main(int argc, char **argv)
{
Expand All @@ -461,6 +531,8 @@ int dinit_main(int argc, char **argv)
am_system_mgr = (getpid() == 1);
am_system_init = (getuid() == 0);

if (am_system_mgr && am_system_init && !selinux_transition(argv[0])) return 1;

struct options opts;

// if we are PID 1 and user id 0, we are *most probably* the system init. (Or on linux at least, we
Expand Down
9 changes: 8 additions & 1 deletion src/meson.build
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@ dinit_source_files = [
'dinit-env.cc',
'settings.cc'
]
dinit_dependencies = []

if libselinux.found()
dinit_dependencies += libselinux
endif


## src/'s Defines
shutdown_built = false
Expand All @@ -40,7 +46,8 @@ endif
executable(
'dinit',
dinit_source_files,
kwargs: misc_args
kwargs: misc_args,
dependencies: dinit_dependencies
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be a simple [libselinux] instead of a variable, because we don't many dependencies right now.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no harm having a variable if it makes things clearer - putting [libselinux] here makes it seem like the library is always a dependency. Does this actually work correctly if libselinux isn't found? (I guess it does because the CI build passed). Anyway I guess it can stay as is it now is.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually. Build output shows:

Run-time dependency libselinux found: NO (tried pkgconfig and cmake)

... why is libselinux considered a "run-time dependency"? Is it because of this? Then I think it needs to be changed back.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

libselinux is a "run-time dependency" in the sense that it is being searched for in order to use it when compiling installable executables.

It would be a

Build-time dependency libselinux found: NO

if it was searched for using dependency('libselinux', native: true) and its purpose was during a cross-compile to compile native executables that required libselinux and could be used as e.g. code generator programs.

Copy link

@eli-schwartz eli-schwartz Oct 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no harm having a variable if it makes things clearer - putting [libselinux] here makes it seem like the library is always a dependency. Does this actually work correctly if libselinux isn't found? (I guess it does because the CI build passed). Anyway I guess it can stay as is it now is.

Dependencies can be looked up only optionally, in this case:

libselinux_dep = dependency('libselinux', version : '>= 2.1.9', required : support_selinux)

it will only be looked up when the "support-selinux={enabled|disabled|auto}" build option permits it. (In the enabled case, the configuration will fatally error out when libselinux is not found -- it is required, so you cannot proceed without it. The default is "auto" and the CI build doesn't have a selinux system so it configures without selinux. In the "disabled" case, even if libselinux is installed and available, meson ignores it because you disabled support and will return "Dependency libselinux skipped: feature support-selinux disabled".) The return value can be checked to see if it was indeed found -- and either way, you can use it anywhere a dependency is a valid parameter type.

  • If libselinux was found, it expands to the correct compile/link arguments for libselinux.
  • If libselinux was NOT found, it expands to nothing, and is a no-op.

So it is always safe to pass it even if it isn't used, greatly reducing the amount of control flow necessary for converting build configuration intents into compilation commands.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eli-schwartz

libselinux is a "run-time dependency" in the sense that it is being searched for in order to use it when compiling installable executables.

I think maybe I understand what you are saying, but it seems very much at odds with what I would normally think of as a run-time vs build-time dependency. To me a dependency that is used when compiling the final executable(s), or at any stage in the lead-up to that, is a build-time dependency; i.e. a build-time dependency is something that is required when the application is built, and a run-time dependency is required when the application is run.

Anyway, I guess that means this is fine as is, and that the "run-time" message is correct as far as meson is concerned - thanks for clarifying.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a bit of weird wording -- I certainly didn't choose it lol. :)

I went and looked up where it was introduced in the git history -- @Ericson2314 introduced it in mesonbuild/meson@07777e1 as part of a refactor that shouldn't actually have affected this at all and I do not know why! Before that commit, it would list "Dependency libselinux found: NO" except in a cross build, when it would say "Cross dependency libselinux found: NO".

)
executable(
'dinitctl',
Expand Down