[Buildroot] [PATCH 0/2] SMACK: mandatory access control

[Buildroot] [PATCH 0/2] SMACK: mandatory access control

[Eric Le Bihan]

Hi!

This small series adds support for SMACK, the Simplified Mandatory Access
Control Kernel.

In computer security, a Mandatory Access Control is a mechanism where the
operating system contrains the access to an object (file, socket, ...) by a
subject (typically a process) according to rules. A well-known example is
SELinux.

SMACK is an implementation of this mechanism, aimed towards simplicity.
It can be used to harden embedded devices. It is currently used in Tizen.

This series introduces the "smack" package, which provides the user space
library as well as the tools to manage the access rules. When selecting this
package, the support for SMACK is actived in the kernel. SMACK is controlled
via the pseudo file system /sys/fs/smackfs. Systemd can mount it automatically
if compiled with SMACK support. So the systemd package has been updated
accordingly.

Best regards,
ELB

Eric Le Bihan (2):
  smack: new package.
  systemd: add SMACK support option.

 linux/linux.mk             |  4 ++++
 package/Config.in          |  1 +
 package/smack/Config.in    | 28 ++++++++++++++++++++++++++++
 package/smack/smack.mk     | 14 ++++++++++++++
 package/systemd/Config.in  | 14 ++++++++++++++
 package/systemd/systemd.mk | 13 +++++++++++++
 6 files changed, 74 insertions(+)
 create mode 100644 package/smack/Config.in
 create mode 100644 package/smack/smack.mk

-- 
1.9.0

[Buildroot] [PATCH 1/2] smack: new package.

[Eric Le Bihan]

SMACK stands for Simplified Mandatory Access Control Kernel. It is a Linux
Security Module which provides a Mandatory Access Control mechanism,
like SELinux, but aiming towards simplicity.

This package provides the tools to load/unload the policy from the
kernel as well as a library allowing applications to interact with
SMACK. The proper kernel options are also set.

Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
---
 linux/linux.mk          |  4 ++++
 package/Config.in       |  1 +
 package/smack/Config.in | 28 ++++++++++++++++++++++++++++
 package/smack/smack.mk  | 14 ++++++++++++++
 4 files changed, 47 insertions(+)
 create mode 100644 package/smack/Config.in
 create mode 100644 package/smack/smack.mk

diff --git a/linux/linux.mk b/linux/linux.mk
index e270705..bd3f2ac 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -200,6 +200,10 @@ define LINUX_CONFIGURE_CMDS
 		$(call KCONFIG_ENABLE_OPT,CONFIG_AUTOFS4_FS,$(@D)/.config)
 		$(call KCONFIG_ENABLE_OPT,CONFIG_TMPFS_POSIX_ACL,$(@D)/.config)
 		$(call KCONFIG_ENABLE_OPT,CONFIG_TMPFS_POSIX_XATTR,$(@D)/.config))
+	$(if $(BR2_PACKAGE_SMACK),
+		$(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY,$(@D)/.config)
+		$(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_SMACK,$(@D)/.config)
+		$(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_NETWORK,$(@D)/.config))
 	$(if $(BR2_LINUX_KERNEL_APPENDED_DTB),
 		$(call KCONFIG_ENABLE_OPT,CONFIG_ARM_APPENDED_DTB,$(@D)/.config))
 	yes '' | $(TARGET_MAKE_ENV) $(MAKE1) $(LINUX_MAKE_FLAGS) -C $(@D) oldconfig
diff --git a/package/Config.in b/package/Config.in
index 44c35ea..323596e 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1104,6 +1104,7 @@ source "package/quota/Config.in"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 source "package/rsyslog/Config.in"
 endif
+source "package/smack/Config.in"
 source "package/supervisor/Config.in"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 source "package/sysklogd/Config.in"
diff --git a/package/smack/Config.in b/package/smack/Config.in
new file mode 100644
index 0000000..971b79a
--- /dev/null
+++ b/package/smack/Config.in
@@ -0,0 +1,28 @@
+config BR2_PACKAGE_SMACK
+	bool "smack"
+	help
+	  User space programs and libraries for SMACK.
+
+	  SMACK stands for Simplified Mandatory Access Control Kernel.
+	  It is a Linux Security Module which provides a Mandatory Access
+	  Control mechanism, aimed towards simplicity.
+
+	  This package provides a library which allows applications to work
+	  with SMACK and tools to load/unload rules from the kernel, as well
+	  as query the policy.
+
+	  SMACK requires the following kernel options to be enabled:
+
+	  - CONFIG_SECURITY
+	  - CONFIG_SECURITY_SMACK
+	  - CONFIG_SECURITY_NETWORK
+
+	  These options will be automatically enabled by Buildroot if it is
+	  responsible for building the kernel. Otherwise, if you are building
+	  your kernel outside of Buildroot, make sure these options are
+	  enabled.
+
+	  To activate SMACK, do not forget to add "security=smack" to your
+	  kernel command line.
+
+	  https://github.com/smack-team/smack
diff --git a/package/smack/smack.mk b/package/smack/smack.mk
new file mode 100644
index 0000000..41f71a4
--- /dev/null
+++ b/package/smack/smack.mk
@@ -0,0 +1,14 @@
+################################################################################
+#
+# smack
+#
+################################################################################
+
+SMACK_VERSION = 1.0.4
+SMACK_SITE = $(call github,smack-team,smack,v$(SMACK_VERSION))
+SMACK_LICENSE = LGPLv2.1+
+SMACK_LICENSE_FILES = COPYING
+SMACK_INSTALL_STAGING = YES
+SMACK_AUTORECONF = YES
+
+$(eval $(autotools-package))
-- 
1.9.0

[Buildroot] [PATCH 2/2] systemd: add SMACK support option.

[Eric Le Bihan]

A new configuration option is available in systemd menu, to enable
support for SMACK.

For this feature to properly work, systemd requires attr (build
dependency, also used for other features) and smack (runtime dependency).

Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
---
 package/systemd/Config.in  | 14 ++++++++++++++
 package/systemd/systemd.mk | 13 +++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/package/systemd/Config.in b/package/systemd/Config.in
index f10637a..0c8ecd8 100644
--- a/package/systemd/Config.in
+++ b/package/systemd/Config.in
@@ -105,4 +105,18 @@ config BR2_PACKAGE_SYSTEMD_COMPAT
 
 	  This option enables the installation of compatibility *.pc files.
 
+config BR2_PACKAGE_SYSTEMD_SMACK_SUPPORT
+	bool "enable SMACK support"
+	select BR2_PACKAGE_ATTR
+	select BR2_PACKAGE_SMACK
+	help
+	  Enable support for SMACK, the Simple Mandatory Access Control
+	  Kernel, a minimal approach to Access Control implemented as a kernel
+	  LSM.
+
+	  This feature requires a kernel >= 3.8.
+
+	  When this feature is enabled, Systemd mounts smackfs and manages
+	  security labels for sockets.
+
 endif
diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index f7661ab..0dfd0c0 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -59,6 +59,13 @@ else
 SYSTEMD_CONF_OPT += --disable-acl
 endif
 
+ifeq ($(BR2_PACKAGE_ATTR),y)
+SYSTEMD_CONF_OPT += --enable-attr
+SYSTEMD_DEPENDENCIES += attr
+else
+SYSTEMD_CONF_OPT += --disable-attr
+endif
+
 ifeq ($(BR2_PACKAGE_LIBGLIB2),y)
 SYSTEMD_CONF_OPT += --enable-gudev
 SYSTEMD_DEPENDENCIES += libglib2
@@ -92,6 +99,12 @@ else
 SYSTEMD_CONF_OPT += --disable-networkd
 endif
 
+ifeq ($(BR2_PACKAGE_SYSTEMD_SMACK_SUPPORT),y)
+SYSTEMD_CONF_OPT += --enable-smack
+else
+SYSTEMD_CONF_OPT += --disable-smack
+endif
+
 # mq_getattr needs -lrt
 SYSTEMD_MAKE_OPT += LIBS=-lrt
 SYSTEMD_MAKE_OPT += LDFLAGS+=-ldl
-- 
1.9.0

[Buildroot] [PATCH 1/2] smack: new package.

[Thomas Petazzoni]

Dear Eric Le Bihan,

On Sun, 20 Apr 2014 20:54:03 +0200, Eric Le Bihan wrote:

> diff --git a/package/smack/Config.in b/package/smack/Config.in
> new file mode 100644
> index 0000000..971b79a
> --- /dev/null
> +++ b/package/smack/Config.in
> @@ -0,0 +1,28 @@
> +config BR2_PACKAGE_SMACK
> +	bool "smack"

Dependency on !BR2_PREFER_STATIC_LIB was missing, due to <dlfcn.h>
usage. Remember to build test your packages with
http://autobuild.buildroot.org/toolchains/configs/free-electrons/bfin-linux-uclibc.config
(to test !MMU) and
http://autobuild.buildroot.org/toolchains/configs/free-electrons/bfin-uclinux.config
(to test !MMU and BR2_PREFER_STATIC_LIB).


> +SMACK_VERSION = 1.0.4
> +SMACK_SITE = $(call github,smack-team,smack,v$(SMACK_VERSION))
> +SMACK_LICENSE = LGPLv2.1+

License is actually LGPLv2.1, according to comment headers in the
source code.

> +SMACK_LICENSE_FILES = COPYING
> +SMACK_INSTALL_STAGING = YES
> +SMACK_AUTORECONF = YES

Dependency on host-pkgconf was missing, the configure.ac script uses
PKG_CHECK_MODULES.

Applied with those changes,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 1/2] smack: new package.

[Thomas Petazzoni]

Dear Eric Le Bihan,

On Mon, 21 Apr 2014 13:56:07 +0200, Eric Le Bihan wrote:

> Thanks for the polishing! Wouldn't it be useful to add a stanza in the
> docs/manual/contribute.txt about performing some compliancy tests using these
> two configurations before submitting new packages? Are there any other
> criteria that could fit compliancy tests/checklist?

While reviewing these packages, I was indeed thinking of writing a
"package addition check list" for the manual. But I'm wondering if this
wouldn't replicate quite a lot of informations already in the manual,
though it's true the idea of testing with some specific toolchain
configurations isn't written anywhere.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 1/2] smack: new package.

[Eric Le Bihan]

Hi!

On Mon, Apr 21, 2014 at 12:19:01PM +0200, Thomas Petazzoni wrote:
> Dear Eric Le Bihan,
>
> On Sun, 20 Apr 2014 20:54:03 +0200, Eric Le Bihan wrote:
>
> > diff --git a/package/smack/Config.in b/package/smack/Config.in
> > new file mode 100644
> > index 0000000..971b79a
> > --- /dev/null
> > +++ b/package/smack/Config.in
> > @@ -0,0 +1,28 @@
> > +config BR2_PACKAGE_SMACK
> > +	bool "smack"
>
> Dependency on !BR2_PREFER_STATIC_LIB was missing, due to <dlfcn.h>
> usage. Remember to build test your packages with
> http://autobuild.buildroot.org/toolchains/configs/free-electrons/bfin-linux-uclibc.config
> (to test !MMU) and
> http://autobuild.buildroot.org/toolchains/configs/free-electrons/bfin-uclinux.config
> (to test !MMU and BR2_PREFER_STATIC_LIB).
Thanks for the polishing! Wouldn't it be useful to add a stanza in the
docs/manual/contribute.txt about performing some compliancy tests using these
two configurations before submitting new packages? Are there any other
criteria that could fit compliancy tests/checklist?

Best regards,
ELB

[Buildroot] [PATCH 1/2] smack: new package.

[Thomas De Schampheleire]

Thomas Petazzoni <thomas.petazzoni@free-electrons.com> schreef:
>Dear Eric Le Bihan,
>
>On Mon, 21 Apr 2014 13:56:07 +0200, Eric Le Bihan wrote:
>
>> Thanks for the polishing! Wouldn't it be useful to add a stanza in the
>> docs/manual/contribute.txt about performing some compliancy tests using these
>> two configurations before submitting new packages? Are there any other
>> criteria that could fit compliancy tests/checklist?
>
>While reviewing these packages, I was indeed thinking of writing a
>"package addition check list" for the manual. But I'm wondering if this
>wouldn't replicate quite a lot of informations already in the manual,
>though it's true the idea of testing with some specific toolchain
>configurations isn't written anywhere.

I certainly think a checklist would be a good addition to the manual. The checklist would not contain details, but only references to other parts of the manual.

Adding a list of toolchain configurations to test packages with is also on my todo list but I haven't gotten around these improvements yet...

Best regards,
Thomas

[Buildroot] [PATCH 1/2] smack: new package.

[Peter Korsgaard]

>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin@gmail.com> writes:

Hi,

 >> While reviewing these packages, I was indeed thinking of writing a
 >> "package addition check list" for the manual. But I'm wondering if this
 >> wouldn't replicate quite a lot of informations already in the manual,
 >> though it's true the idea of testing with some specific toolchain
 >> configurations isn't written anywhere.

 > I certainly think a checklist would be a good addition to the
 > manual. The checklist would not contain details, but only references
 > to other parts of the manual.

 > Adding a list of toolchain configurations to test packages with is
 > also on my todo list but I haven't gotten around these improvements
 > yet...

Perhaps we need something like checkpatch.pl to test a package with the
various toolchain combinations?

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/2] smack: new package.

[Thomas Petazzoni]

Dear Peter Korsgaard,

On Thu, 24 Apr 2014 22:14:34 +0200, Peter Korsgaard wrote:

>  >> While reviewing these packages, I was indeed thinking of writing a
>  >> "package addition check list" for the manual. But I'm wondering if this
>  >> wouldn't replicate quite a lot of informations already in the manual,
>  >> though it's true the idea of testing with some specific toolchain
>  >> configurations isn't written anywhere.
> 
>  > I certainly think a checklist would be a good addition to the
>  > manual. The checklist would not contain details, but only references
>  > to other parts of the manual.
> 
>  > Adding a list of toolchain configurations to test packages with is
>  > also on my todo list but I haven't gotten around these improvements
>  > yet...
> 
> Perhaps we need something like checkpatch.pl to test a package with the
> various toolchain combinations?

That could work with the packages that don't have crazy dependencies.
But as soon as the package starts depending on OpenGL or things like
that, it would be more difficult I believe.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 2/2] systemd: add SMACK support option.

[Thomas Petazzoni]

Dear Eric Le Bihan,

On Sun, 20 Apr 2014 20:54:04 +0200, Eric Le Bihan wrote:
> A new configuration option is available in systemd menu, to enable
> support for SMACK.
> 
> For this feature to properly work, systemd requires attr (build
> dependency, also used for other features) and smack (runtime dependency).
> 
> Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
> ---
>  package/systemd/Config.in  | 14 ++++++++++++++
>  package/systemd/systemd.mk | 13 +++++++++++++
>  2 files changed, 27 insertions(+)

Applied, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com