Re: [meta-selinux][PATCHv2 0/8] Label file system in build.

[Philip Tricca <flihp@twobit.us>]

On 08/10/2015 09:10 PM, Philip Tricca wrote:
> On 08/08/2015 02:00 PM, Joe MacDonald wrote:
>> I'm sorry this has been in the merge queue for so long.
> 
> Better late than never :)
> 
>> I've merged it
>> after taking the policy updates from Shrikant and a few other small
>> patches that had been hanging around too.  I didn't drop it on master
>> yet, though, since I wanted to give everyone else a little bit of time
>> to try it out (myself included, I'm finally able to come up for air on
>> some of the day job things :-)).  Instead it is currently living on the
>> fs_label branch, but I rebased the patches on the current master HEAD
>> commit.  That means, though, that if you get a chance I'd like to take a
>> look at the branch to ensure I didn't mangle your patch set too much.
> 
> Will do.

Built and tested. Works as expected. There are a couple AVCs from
rpcbind related to stuff in /tmp but those are present in the master
branch so they're not related.

Philip

>> [[meta-selinux][PATCHv2 0/8] Label file system in build.] On 15.06.17 (Wed 15:30) Philip Tricca wrote:
>>
>>> This is the second version of a patch series that allows the file system
>>> of SELinux images to be labeled as part of the build process. This will
>>> allow SELinux images to boot read only file systems and remove the need to
>>> label the file system on first boot.
>>>
>>> To do this we must label the file system in the build as well as add
>>> support for extended attributes to the mke2fs utility in the e2fsprogs
>>> package. The first version of this patch series is here:
>>> https://lists.yoctoproject.org/pipermail/yocto/2015-June/025141.html
>>> The approach described in this previous RFC remains the same.
>>>
>>> Changes in v2:
>>> This second version has two significant changes: First I've done a bunch
>>> of cleanup. This includes work to make the descriptions in the patch
>>> headers / commit messages more exact as well as combining some commits
>>> with related functionality. Secondly I've reimplemented the xattr cache
>>> so that it actually works.
>>>
>>> I've made the patch headers as descriptive as possible and kept the git
>>> commit messages minimal. If the preference is for more verbose commit
>>> messages I'm happy to oblige if advised.
>>>
>>> The cache is just a single linked list that's searched for duplicates after
>>> the creation of each new xattr block. The previous implementation was similar
>>> but, aside from not working properly, it was overly complex in its attempt to
>>> keep the list sorted.
>>>
>>> Tests:
>>> To test this new implementation I used the core-image-selinux-minimal image
>>> from the unmodified master branch as a control. This image has 2536 unique
>>> file system objects including the root fs directory. The ext4 file system
>>> produced by the build has 71492 blocks with 13621 free.
>>>
>>> As an additional test I added the patches from this set WITHOUT the cache
>>> patches. This causes each file system object with an associated extended
>>> attribute to use up an additional block for the xattr. This should cause
>>> (hypothesis) the output file system to have 13621 - 2536 = 11085 free
>>> blocks. The build producing an ext4 file system with 71492 blocks and 11088
>>> free. That's an additional 2533 blocks used instead of the 2536 expected.
>>> These 3 missing xattr blocks can be accounted for in that there are 3
>>> unlabeled files in the file system.
>>>
>>> Introducing the cache allows files with identical xattr blocks to share
>>> them to reduce the number of used blocks. Since we're only storing SELinux
>>> labels in the xattrs we can say that every file with the same SELinux label
>>> should share an xattr block. Counting the unique SELinux labels on file
>>> objects we know that there are 83 in total. The second hypothesis we have
>>> to test then is that using the cache will reduce the number of used blocks
>>> from 2533 down to 83.
>>>
>>> Applying the patch that enables the cache produces a third and final ext4
>>> file system. This one again report 71492 total blocks but this time 13538
>>> free. This is 83 blocks fewer than the unlabled file system from the
>>> initial test as we expected. The code added by this patch set is also
>>> instrumented to count the objects in the cache when they're freed. With
>>> this debug output enabled it reports the same number of objects in the
>>> cache.
>>>
>>> From the test results I'm pretty confident that the cache functions as
>>> expected. It's still a very basic implementation but given the small
>>> number of unique SELinux labels in the reference file systems it's
>>> likely sufficient for a first version. Feedback / comments on both the
>>> implementation and testing approach would be appreciated.
>>>
>>> Regards,
>>> Philip
>>> ----
>>>
>>> Philip Tricca (8):
>>>   policycoreutils: Patch setfiles to add FTS_NOCHDIR to fts_flags.
>>>   selinux-image: Add new image class to label the rootfs, use it for
>>>     selinux images.
>>>   e2fsprogs: Add bbappend and stub for xattr module.
>>>   e2fsprogs: Insert calls to xattr module into mke2fs and build xattr
>>>     code.
>>>   e2fsprogs: Add xattr security prefix data to
>>>     lib/ext2fs/ext2_ext_attr.h
>>>   e2fsprogs: Copy xattr block from source file.
>>>   e2fsprogs: Add stub functions for an xattr cache and struct to hold
>>>     the header and block data.
>>>   e2fsprogs: Implement xattr block cache with simple linked list.
>>>
>>>  classes/selinux-image.bbclass                      |   8 +
>>>  ...ib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch |  20 ++
>>>  .../misc-xattr-add-xattr-module-stub.patch         |  57 ++++
>>>  .../misc-xattr-create-xattr-block-node.patch       | 175 +++++++++++
>>>  .../e2fsprogs/misc-xattr-create-xattr-block.patch  | 341 +++++++++++++++++++++
>>>  .../e2fsprogs/misc-xattr-create-xattr-cache.patch  | 181 +++++++++++
>>>  .../mke2fs.c-create_inode.c-copy-xattrs.patch      | 164 ++++++++++
>>>  .../e2fsprogs/e2fsprogs_1.42.9.bbappend            |  10 +
>>>  .../images/core-image-selinux-minimal.bb           |   2 +-
>>>  recipes-security/images/core-image-selinux.bb      |   2 +-
>>>  .../policycoreutils-fts_flags-FTS_NOCHDIR.patch    |  25 ++
>>>  recipes-security/selinux/policycoreutils_2.3.bb    |   1 +
>>>  12 files changed, 984 insertions(+), 2 deletions(-)
>>>  create mode 100644 classes/selinux-image.bbclass
>>>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch
>>>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-add-xattr-module-stub.patch
>>>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-block-node.patch
>>>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-block.patch
>>>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-cache.patch
>>>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/mke2fs.c-create_inode.c-copy-xattrs.patch
>>>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bbappend
>>>  create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-fts_flags-FTS_NOCHDIR.patch
>>>
>