* [Buildroot] [PATCH 0/2] SMACK: mandatory access control @ 2014-04-20 18:54 Eric Le Bihan 2014-04-20 18:54 ` [Buildroot] [PATCH 1/2] smack: new package Eric Le Bihan 2014-04-20 18:54 ` [Buildroot] [PATCH 2/2] systemd: add SMACK support option Eric Le Bihan 0 siblings, 2 replies; 10+ messages in thread From: Eric Le Bihan @ 2014-04-20 18:54 UTC (permalink / raw) To: buildroot Hi! This small series adds support for SMACK, the Simplified Mandatory Access Control Kernel. In computer security, a Mandatory Access Control is a mechanism where the operating system contrains the access to an object (file, socket, ...) by a subject (typically a process) according to rules. A well-known example is SELinux. SMACK is an implementation of this mechanism, aimed towards simplicity. It can be used to harden embedded devices. It is currently used in Tizen. This series introduces the "smack" package, which provides the user space library as well as the tools to manage the access rules. When selecting this package, the support for SMACK is actived in the kernel. SMACK is controlled via the pseudo file system /sys/fs/smackfs. Systemd can mount it automatically if compiled with SMACK support. So the systemd package has been updated accordingly. Best regards, ELB Eric Le Bihan (2): smack: new package. systemd: add SMACK support option. linux/linux.mk | 4 ++++ package/Config.in | 1 + package/smack/Config.in | 28 ++++++++++++++++++++++++++++ package/smack/smack.mk | 14 ++++++++++++++ package/systemd/Config.in | 14 ++++++++++++++ package/systemd/systemd.mk | 13 +++++++++++++ 6 files changed, 74 insertions(+) create mode 100644 package/smack/Config.in create mode 100644 package/smack/smack.mk -- 1.9.0 ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/2] smack: new package. 2014-04-20 18:54 [Buildroot] [PATCH 0/2] SMACK: mandatory access control Eric Le Bihan @ 2014-04-20 18:54 ` Eric Le Bihan 2014-04-21 10:19 ` Thomas Petazzoni 2014-04-20 18:54 ` [Buildroot] [PATCH 2/2] systemd: add SMACK support option Eric Le Bihan 1 sibling, 1 reply; 10+ messages in thread From: Eric Le Bihan @ 2014-04-20 18:54 UTC (permalink / raw) To: buildroot SMACK stands for Simplified Mandatory Access Control Kernel. It is a Linux Security Module which provides a Mandatory Access Control mechanism, like SELinux, but aiming towards simplicity. This package provides the tools to load/unload the policy from the kernel as well as a library allowing applications to interact with SMACK. The proper kernel options are also set. Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr> --- linux/linux.mk | 4 ++++ package/Config.in | 1 + package/smack/Config.in | 28 ++++++++++++++++++++++++++++ package/smack/smack.mk | 14 ++++++++++++++ 4 files changed, 47 insertions(+) create mode 100644 package/smack/Config.in create mode 100644 package/smack/smack.mk diff --git a/linux/linux.mk b/linux/linux.mk index e270705..bd3f2ac 100644 --- a/linux/linux.mk +++ b/linux/linux.mk @@ -200,6 +200,10 @@ define LINUX_CONFIGURE_CMDS $(call KCONFIG_ENABLE_OPT,CONFIG_AUTOFS4_FS,$(@D)/.config) $(call KCONFIG_ENABLE_OPT,CONFIG_TMPFS_POSIX_ACL,$(@D)/.config) $(call KCONFIG_ENABLE_OPT,CONFIG_TMPFS_POSIX_XATTR,$(@D)/.config)) + $(if $(BR2_PACKAGE_SMACK), + $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY,$(@D)/.config) + $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_SMACK,$(@D)/.config) + $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_NETWORK,$(@D)/.config)) $(if $(BR2_LINUX_KERNEL_APPENDED_DTB), $(call KCONFIG_ENABLE_OPT,CONFIG_ARM_APPENDED_DTB,$(@D)/.config)) yes '' | $(TARGET_MAKE_ENV) $(MAKE1) $(LINUX_MAKE_FLAGS) -C $(@D) oldconfig diff --git a/package/Config.in b/package/Config.in index 44c35ea..323596e 100644 --- a/package/Config.in +++ b/package/Config.in @@ -1104,6 +1104,7 @@ source "package/quota/Config.in" if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS source "package/rsyslog/Config.in" endif +source "package/smack/Config.in" source "package/supervisor/Config.in" if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS source "package/sysklogd/Config.in" diff --git a/package/smack/Config.in b/package/smack/Config.in new file mode 100644 index 0000000..971b79a --- /dev/null +++ b/package/smack/Config.in @@ -0,0 +1,28 @@ +config BR2_PACKAGE_SMACK + bool "smack" + help + User space programs and libraries for SMACK. + + SMACK stands for Simplified Mandatory Access Control Kernel. + It is a Linux Security Module which provides a Mandatory Access + Control mechanism, aimed towards simplicity. + + This package provides a library which allows applications to work + with SMACK and tools to load/unload rules from the kernel, as well + as query the policy. + + SMACK requires the following kernel options to be enabled: + + - CONFIG_SECURITY + - CONFIG_SECURITY_SMACK + - CONFIG_SECURITY_NETWORK + + These options will be automatically enabled by Buildroot if it is + responsible for building the kernel. Otherwise, if you are building + your kernel outside of Buildroot, make sure these options are + enabled. + + To activate SMACK, do not forget to add "security=smack" to your + kernel command line. + + https://github.com/smack-team/smack diff --git a/package/smack/smack.mk b/package/smack/smack.mk new file mode 100644 index 0000000..41f71a4 --- /dev/null +++ b/package/smack/smack.mk @@ -0,0 +1,14 @@ +################################################################################ +# +# smack +# +################################################################################ + +SMACK_VERSION = 1.0.4 +SMACK_SITE = $(call github,smack-team,smack,v$(SMACK_VERSION)) +SMACK_LICENSE = LGPLv2.1+ +SMACK_LICENSE_FILES = COPYING +SMACK_INSTALL_STAGING = YES +SMACK_AUTORECONF = YES + +$(eval $(autotools-package)) -- 1.9.0 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/2] smack: new package. 2014-04-20 18:54 ` [Buildroot] [PATCH 1/2] smack: new package Eric Le Bihan @ 2014-04-21 10:19 ` Thomas Petazzoni 2014-04-21 11:56 ` Eric Le Bihan 0 siblings, 1 reply; 10+ messages in thread From: Thomas Petazzoni @ 2014-04-21 10:19 UTC (permalink / raw) To: buildroot Dear Eric Le Bihan, On Sun, 20 Apr 2014 20:54:03 +0200, Eric Le Bihan wrote: > diff --git a/package/smack/Config.in b/package/smack/Config.in > new file mode 100644 > index 0000000..971b79a > --- /dev/null > +++ b/package/smack/Config.in > @@ -0,0 +1,28 @@ > +config BR2_PACKAGE_SMACK > + bool "smack" Dependency on !BR2_PREFER_STATIC_LIB was missing, due to <dlfcn.h> usage. Remember to build test your packages with http://autobuild.buildroot.org/toolchains/configs/free-electrons/bfin-linux-uclibc.config (to test !MMU) and http://autobuild.buildroot.org/toolchains/configs/free-electrons/bfin-uclinux.config (to test !MMU and BR2_PREFER_STATIC_LIB). > +SMACK_VERSION = 1.0.4 > +SMACK_SITE = $(call github,smack-team,smack,v$(SMACK_VERSION)) > +SMACK_LICENSE = LGPLv2.1+ License is actually LGPLv2.1, according to comment headers in the source code. > +SMACK_LICENSE_FILES = COPYING > +SMACK_INSTALL_STAGING = YES > +SMACK_AUTORECONF = YES Dependency on host-pkgconf was missing, the configure.ac script uses PKG_CHECK_MODULES. Applied with those changes, Thomas -- Thomas Petazzoni, CTO, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/2] smack: new package. 2014-04-21 10:19 ` Thomas Petazzoni @ 2014-04-21 11:56 ` Eric Le Bihan 2014-04-21 11:55 ` Thomas Petazzoni 0 siblings, 1 reply; 10+ messages in thread From: Eric Le Bihan @ 2014-04-21 11:56 UTC (permalink / raw) To: buildroot Hi! On Mon, Apr 21, 2014 at 12:19:01PM +0200, Thomas Petazzoni wrote: > Dear Eric Le Bihan, > > On Sun, 20 Apr 2014 20:54:03 +0200, Eric Le Bihan wrote: > > > diff --git a/package/smack/Config.in b/package/smack/Config.in > > new file mode 100644 > > index 0000000..971b79a > > --- /dev/null > > +++ b/package/smack/Config.in > > @@ -0,0 +1,28 @@ > > +config BR2_PACKAGE_SMACK > > + bool "smack" > > Dependency on !BR2_PREFER_STATIC_LIB was missing, due to <dlfcn.h> > usage. Remember to build test your packages with > http://autobuild.buildroot.org/toolchains/configs/free-electrons/bfin-linux-uclibc.config > (to test !MMU) and > http://autobuild.buildroot.org/toolchains/configs/free-electrons/bfin-uclinux.config > (to test !MMU and BR2_PREFER_STATIC_LIB). Thanks for the polishing! Wouldn't it be useful to add a stanza in the docs/manual/contribute.txt about performing some compliancy tests using these two configurations before submitting new packages? Are there any other criteria that could fit compliancy tests/checklist? Best regards, ELB ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/2] smack: new package. 2014-04-21 11:56 ` Eric Le Bihan @ 2014-04-21 11:55 ` Thomas Petazzoni 2014-04-21 12:49 ` Thomas De Schampheleire 0 siblings, 1 reply; 10+ messages in thread From: Thomas Petazzoni @ 2014-04-21 11:55 UTC (permalink / raw) To: buildroot Dear Eric Le Bihan, On Mon, 21 Apr 2014 13:56:07 +0200, Eric Le Bihan wrote: > Thanks for the polishing! Wouldn't it be useful to add a stanza in the > docs/manual/contribute.txt about performing some compliancy tests using these > two configurations before submitting new packages? Are there any other > criteria that could fit compliancy tests/checklist? While reviewing these packages, I was indeed thinking of writing a "package addition check list" for the manual. But I'm wondering if this wouldn't replicate quite a lot of informations already in the manual, though it's true the idea of testing with some specific toolchain configurations isn't written anywhere. Thomas -- Thomas Petazzoni, CTO, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/2] smack: new package. 2014-04-21 11:55 ` Thomas Petazzoni @ 2014-04-21 12:49 ` Thomas De Schampheleire 2014-04-24 20:14 ` Peter Korsgaard 0 siblings, 1 reply; 10+ messages in thread From: Thomas De Schampheleire @ 2014-04-21 12:49 UTC (permalink / raw) To: buildroot Thomas Petazzoni <thomas.petazzoni@free-electrons.com> schreef: >Dear Eric Le Bihan, > >On Mon, 21 Apr 2014 13:56:07 +0200, Eric Le Bihan wrote: > >> Thanks for the polishing! Wouldn't it be useful to add a stanza in the >> docs/manual/contribute.txt about performing some compliancy tests using these >> two configurations before submitting new packages? Are there any other >> criteria that could fit compliancy tests/checklist? > >While reviewing these packages, I was indeed thinking of writing a >"package addition check list" for the manual. But I'm wondering if this >wouldn't replicate quite a lot of informations already in the manual, >though it's true the idea of testing with some specific toolchain >configurations isn't written anywhere. I certainly think a checklist would be a good addition to the manual. The checklist would not contain details, but only references to other parts of the manual. Adding a list of toolchain configurations to test packages with is also on my todo list but I haven't gotten around these improvements yet... Best regards, Thomas ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/2] smack: new package. 2014-04-21 12:49 ` Thomas De Schampheleire @ 2014-04-24 20:14 ` Peter Korsgaard 2014-04-25 7:16 ` Thomas Petazzoni 0 siblings, 1 reply; 10+ messages in thread From: Peter Korsgaard @ 2014-04-24 20:14 UTC (permalink / raw) To: buildroot >>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin@gmail.com> writes: Hi, >> While reviewing these packages, I was indeed thinking of writing a >> "package addition check list" for the manual. But I'm wondering if this >> wouldn't replicate quite a lot of informations already in the manual, >> though it's true the idea of testing with some specific toolchain >> configurations isn't written anywhere. > I certainly think a checklist would be a good addition to the > manual. The checklist would not contain details, but only references > to other parts of the manual. > Adding a list of toolchain configurations to test packages with is > also on my todo list but I haven't gotten around these improvements > yet... Perhaps we need something like checkpatch.pl to test a package with the various toolchain combinations? -- Bye, Peter Korsgaard ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 1/2] smack: new package. 2014-04-24 20:14 ` Peter Korsgaard @ 2014-04-25 7:16 ` Thomas Petazzoni 0 siblings, 0 replies; 10+ messages in thread From: Thomas Petazzoni @ 2014-04-25 7:16 UTC (permalink / raw) To: buildroot Dear Peter Korsgaard, On Thu, 24 Apr 2014 22:14:34 +0200, Peter Korsgaard wrote: > >> While reviewing these packages, I was indeed thinking of writing a > >> "package addition check list" for the manual. But I'm wondering if this > >> wouldn't replicate quite a lot of informations already in the manual, > >> though it's true the idea of testing with some specific toolchain > >> configurations isn't written anywhere. > > > I certainly think a checklist would be a good addition to the > > manual. The checklist would not contain details, but only references > > to other parts of the manual. > > > Adding a list of toolchain configurations to test packages with is > > also on my todo list but I haven't gotten around these improvements > > yet... > > Perhaps we need something like checkpatch.pl to test a package with the > various toolchain combinations? That could work with the packages that don't have crazy dependencies. But as soon as the package starts depending on OpenGL or things like that, it would be more difficult I believe. Thomas -- Thomas Petazzoni, CTO, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 2/2] systemd: add SMACK support option. 2014-04-20 18:54 [Buildroot] [PATCH 0/2] SMACK: mandatory access control Eric Le Bihan 2014-04-20 18:54 ` [Buildroot] [PATCH 1/2] smack: new package Eric Le Bihan @ 2014-04-20 18:54 ` Eric Le Bihan 2014-06-08 14:33 ` Thomas Petazzoni 1 sibling, 1 reply; 10+ messages in thread From: Eric Le Bihan @ 2014-04-20 18:54 UTC (permalink / raw) To: buildroot A new configuration option is available in systemd menu, to enable support for SMACK. For this feature to properly work, systemd requires attr (build dependency, also used for other features) and smack (runtime dependency). Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr> --- package/systemd/Config.in | 14 ++++++++++++++ package/systemd/systemd.mk | 13 +++++++++++++ 2 files changed, 27 insertions(+) diff --git a/package/systemd/Config.in b/package/systemd/Config.in index f10637a..0c8ecd8 100644 --- a/package/systemd/Config.in +++ b/package/systemd/Config.in @@ -105,4 +105,18 @@ config BR2_PACKAGE_SYSTEMD_COMPAT This option enables the installation of compatibility *.pc files. +config BR2_PACKAGE_SYSTEMD_SMACK_SUPPORT + bool "enable SMACK support" + select BR2_PACKAGE_ATTR + select BR2_PACKAGE_SMACK + help + Enable support for SMACK, the Simple Mandatory Access Control + Kernel, a minimal approach to Access Control implemented as a kernel + LSM. + + This feature requires a kernel >= 3.8. + + When this feature is enabled, Systemd mounts smackfs and manages + security labels for sockets. + endif diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk index f7661ab..0dfd0c0 100644 --- a/package/systemd/systemd.mk +++ b/package/systemd/systemd.mk @@ -59,6 +59,13 @@ else SYSTEMD_CONF_OPT += --disable-acl endif +ifeq ($(BR2_PACKAGE_ATTR),y) +SYSTEMD_CONF_OPT += --enable-attr +SYSTEMD_DEPENDENCIES += attr +else +SYSTEMD_CONF_OPT += --disable-attr +endif + ifeq ($(BR2_PACKAGE_LIBGLIB2),y) SYSTEMD_CONF_OPT += --enable-gudev SYSTEMD_DEPENDENCIES += libglib2 @@ -92,6 +99,12 @@ else SYSTEMD_CONF_OPT += --disable-networkd endif +ifeq ($(BR2_PACKAGE_SYSTEMD_SMACK_SUPPORT),y) +SYSTEMD_CONF_OPT += --enable-smack +else +SYSTEMD_CONF_OPT += --disable-smack +endif + # mq_getattr needs -lrt SYSTEMD_MAKE_OPT += LIBS=-lrt SYSTEMD_MAKE_OPT += LDFLAGS+=-ldl -- 1.9.0 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [Buildroot] [PATCH 2/2] systemd: add SMACK support option. 2014-04-20 18:54 ` [Buildroot] [PATCH 2/2] systemd: add SMACK support option Eric Le Bihan @ 2014-06-08 14:33 ` Thomas Petazzoni 0 siblings, 0 replies; 10+ messages in thread From: Thomas Petazzoni @ 2014-06-08 14:33 UTC (permalink / raw) To: buildroot Dear Eric Le Bihan, On Sun, 20 Apr 2014 20:54:04 +0200, Eric Le Bihan wrote: > A new configuration option is available in systemd menu, to enable > support for SMACK. > > For this feature to properly work, systemd requires attr (build > dependency, also used for other features) and smack (runtime dependency). > > Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr> > --- > package/systemd/Config.in | 14 ++++++++++++++ > package/systemd/systemd.mk | 13 +++++++++++++ > 2 files changed, 27 insertions(+) Applied, thanks. Thomas -- Thomas Petazzoni, CTO, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-06-08 14:33 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-04-20 18:54 [Buildroot] [PATCH 0/2] SMACK: mandatory access control Eric Le Bihan 2014-04-20 18:54 ` [Buildroot] [PATCH 1/2] smack: new package Eric Le Bihan 2014-04-21 10:19 ` Thomas Petazzoni 2014-04-21 11:56 ` Eric Le Bihan 2014-04-21 11:55 ` Thomas Petazzoni 2014-04-21 12:49 ` Thomas De Schampheleire 2014-04-24 20:14 ` Peter Korsgaard 2014-04-25 7:16 ` Thomas Petazzoni 2014-04-20 18:54 ` [Buildroot] [PATCH 2/2] systemd: add SMACK support option Eric Le Bihan 2014-06-08 14:33 ` Thomas Petazzoni
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox