[PATCH] shadow: 'useradd' copies root's extended attributes

[PATCH] shadow: 'useradd' copies root's extended attributes

[jobol]

From: José Bollo <jose.bollo@iot.bzh>

The copy of extended attributes is interesting for
Smack systems because it allows to set the security
template of the user's home directories without
modifying the tools (useradd here). But the version
of useradd that copies the extended attributes doesn't
copy the extended attributes of the root. This can make
use of homes impossible! This patch corrects the issue
by copying the extended attributes of the root directory:
/home/user will get the extended attributes of /etc/skel.

This includes 2 patches to implement the behaviour:
one for the target and one for the native.

The patch for the target was submitted upstream (see
http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html)

The patch for the native couldn't be submitted upstream
because it applies after the patch specific to open-embedded
that creates the parent directories:
  0001-useradd.c-create-parent-directories-when-necessary.patch

Also, attr are activated for native tools.
This is needed when users are created during image creation.

Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---
 ...d-copy-extended-attributes-of-home-native.patch | 46 +++++++++++++++++++++
 ...-useradd-copy-extended-attributes-of-home.patch | 47 ++++++++++++++++++++++
 meta/recipes-extended/shadow/shadow.inc            |  4 +-
 3 files changed, 96 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home-native.patch
 create mode 100644 meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch

diff --git a/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home-native.patch b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home-native.patch
new file mode 100644
index 0000000..e93693e
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home-native.patch
@@ -0,0 +1,46 @@
+From 008637fc8bd7f601eb6554d572bba025613913b7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Wed, 8 Mar 2017 14:10:10 +0100
+Subject: [PATCH] useradd: copy extended attributes of home (native)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The Home directory wasn't getting the extended attributes
+of /etc/skel. This patch fixes that issue and adds the copy
+of the extended attributes of the root of the home directory.
+
+Upstream-Status: Inappropriate [OE specific]
+
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/useradd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index 4c418af..8ba8af6 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -55,6 +55,9 @@
+ #include <sys/stat.h>
+ #include <sys/types.h>
+ #include <time.h>
++#ifdef WITH_ATTR
++#include <attr/libattr.h>
++#endif
+ #include "chkname.h"
+ #include "defines.h"
+ #include "faillog.h"
+@@ -1950,6 +1953,9 @@ static void create_home (void)
+ 	chown (user_home, user_id, user_gid);
+ 	chmod (user_home,
+ 	       0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
++#ifdef WITH_ATTR
++	attr_copy_file (def_template, user_home, NULL, NULL);
++#endif
+ 	home_added = true;
+ #ifdef WITH_AUDIT
+ 	audit_logger (AUDIT_ADD_USER, Prog,
+-- 
+2.9.3
+
diff --git a/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
new file mode 100644
index 0000000..60a46e1
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
@@ -0,0 +1,47 @@
+From acec93540eba6899661c607408498ac72ab07a47 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Tue, 7 Mar 2017 16:03:03 +0100
+Subject: [PATCH] useradd: copy extended attributes of home
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The Home directory wasn't getting the extended attributes
+of /etc/skel. This patch fixes that issue and adds the copy
+of the extended attributes of the root of the home directory.
+
+Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html]
+
+Change-Id: Icd633f7c6c494efd2a30cb8f04c306f749ad0c3b
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/useradd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index a8a1f76..8aefb9c 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -52,6 +52,9 @@
+ #include <sys/stat.h>
+ #include <sys/types.h>
+ #include <time.h>
++#ifdef WITH_ATTR
++#include <attr/libattr.h>
++#endif
+ #include "chkname.h"
+ #include "defines.h"
+ #include "faillog.h"
+@@ -1915,6 +1918,9 @@ static void create_home (void)
+ 		chown (user_home, user_id, user_gid);
+ 		chmod (user_home,
+ 		       0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
++#ifdef WITH_ATTR
++		attr_copy_file (def_template, user_home, NULL, NULL);
++#endif
+ 		home_added = true;
+ #ifdef WITH_AUDIT
+ 		audit_logger (AUDIT_ADD_USER, Prog,
+-- 
+2.9.3
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index e59ff64..62531df 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -22,6 +22,7 @@ SRC_URI_append_class-target = " \
            file://login_defs_pam.sed \
            file://shadow-update-pam-conf.patch \
            file://shadow-relaxed-usernames.patch \
+           file://0001-useradd-copy-extended-attributes-of-home.patch \
            "
 
 SRC_URI_append_class-native = " \
@@ -29,6 +30,7 @@ SRC_URI_append_class-native = " \
            file://allow-for-setting-password-in-clear-text.patch \
            file://commonio.c-fix-unexpected-open-failure-in-chroot-env.patch \
            file://0001-useradd.c-create-parent-directories-when-necessary.patch \
+           file://0001-useradd-copy-extended-attributes-of-home-native.patch \
            "
 SRC_URI_append_class-nativesdk = " \
            file://0001-Disable-use-of-syslog-for-sysroot.patch \
@@ -76,7 +78,7 @@ PAM_PLUGINS = "libpam-runtime \
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
                    ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}"
-PACKAGECONFIG_class-native = ""
+PACKAGECONFIG_class-native ??= "${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}"
 PACKAGECONFIG_class-nativesdk = ""
 PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}"
 PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr"
-- 
2.9.3

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[Patrick Ohly]

On Thu, 2017-03-09 at 15:07 +0100, jobol@nonadev.net wrote:
> From: José Bollo <jose.bollo@iot.bzh>
> 
> The copy of extended attributes is interesting for
> Smack systems because it allows to set the security
> template of the user's home directories without
> modifying the tools (useradd here). But the version
> of useradd that copies the extended attributes doesn't
> copy the extended attributes of the root. This can make
> use of homes impossible! This patch corrects the issue
> by copying the extended attributes of the root directory:
> /home/user will get the extended attributes of /etc/skel.

Makes sense to me.

> This includes 2 patches to implement the behaviour:
> one for the target and one for the native.
> 
> The patch for the target was submitted upstream (see
> http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html)
> 
> The patch for the native couldn't be submitted upstream
> because it applies after the patch specific to open-embedded
> that creates the parent directories:
>   0001-useradd.c-create-parent-directories-when-necessary.patch

Can't you reorder and rebase the patches so that this
0001-useradd.c-create-parent-directories-when-necessary.patch applies on
top of the patch which was submitted upstream?

"devtool modify shadow-native" might be useful for that. "git rebase -i"
in workspace/sources/shadow-native", then finish with "devtool
update-recipe shadow-native". I haven't tried whether "update-recipe"
handles re-ordering patches. If it doesn't, just fix it manually.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[José Bollo]

On Thu, 09 Mar 2017 17:07:54 +0100
Patrick Ohly <patrick.ohly@intel.com> wrote:

> On Thu, 2017-03-09 at 15:07 +0100, jobol@nonadev.net wrote:
> > From: José Bollo <jose.bollo@iot.bzh>
> > 
> > The copy of extended attributes is interesting for
> > Smack systems because it allows to set the security
> > template of the user's home directories without
> > modifying the tools (useradd here). But the version
> > of useradd that copies the extended attributes doesn't
> > copy the extended attributes of the root. This can make
> > use of homes impossible! This patch corrects the issue
> > by copying the extended attributes of the root directory:
> > /home/user will get the extended attributes of /etc/skel.  
> 
> Makes sense to me.
> 
> > This includes 2 patches to implement the behaviour:
> > one for the target and one for the native.
> > 
> > The patch for the target was submitted upstream (see
> > http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html)
> > 
> > The patch for the native couldn't be submitted upstream
> > because it applies after the patch specific to open-embedded
> > that creates the parent directories:
> >   0001-useradd.c-create-parent-directories-when-necessary.patch  
> 
> Can't you reorder and rebase the patches so that this
> 0001-useradd.c-create-parent-directories-when-necessary.patch applies
> on top of the patch which was submitted upstream?

I agree that it would be better to reorder. Better but less
conservative because an existing patch must be upgraded.

> "devtool modify shadow-native" might be useful for that. "git rebase
> -i" in workspace/sources/shadow-native", then finish with "devtool
> update-recipe shadow-native". I haven't tried whether "update-recipe"
> handles re-ordering patches. If it doesn't, just fix it manually.

I'll do and propose the new version soon.

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[Patrick Ohly]

On Thu, 2017-03-09 at 17:48 +0100, José Bollo wrote:
> On Thu, 09 Mar 2017 17:07:54 +0100
> Patrick Ohly <patrick.ohly@intel.com> wrote:
> > Can't you reorder and rebase the patches so that this
> > 0001-useradd.c-create-parent-directories-when-necessary.patch applies
> > on top of the patch which was submitted upstream?
> 
> I agree that it would be better to reorder. Better but less
> conservative because an existing patch must be upgraded.

If upstream merges the proposed patch, then rebasing will be inevitable
at some point, so we might as well do the cleaner solution now, even if
the diff becomes larger.

> > "devtool modify shadow-native" might be useful for that. "git rebase
> > -i" in workspace/sources/shadow-native", then finish with "devtool
> > update-recipe shadow-native". I haven't tried whether "update-recipe"
> > handles re-ordering patches. If it doesn't, just fix it manually.
> 
> I'll do and propose the new version soon.

Thanks!

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[José Bollo]

On Thu, 09 Mar 2017 18:18:05 +0100
Patrick Ohly <patrick.ohly@intel.com> wrote:

> On Thu, 2017-03-09 at 17:48 +0100, José Bollo wrote:
> > On Thu, 09 Mar 2017 17:07:54 +0100
> > Patrick Ohly <patrick.ohly@intel.com> wrote:  
> > > Can't you reorder and rebase the patches so that this
> > > 0001-useradd.c-create-parent-directories-when-necessary.patch
> > > applies on top of the patch which was submitted upstream?  
> > 
> > I agree that it would be better to reorder. Better but less
> > conservative because an existing patch must be upgraded.  
> 
> If upstream merges the proposed patch, then rebasing will be
> inevitable at some point, so we might as well do the cleaner solution
> now, even if the diff becomes larger.
> 
> > > "devtool modify shadow-native" might be useful for that. "git
> > > rebase -i" in workspace/sources/shadow-native", then finish with
> > > "devtool update-recipe shadow-native". I haven't tried whether
> > > "update-recipe" handles re-ordering patches. If it doesn't, just
> > > fix it manually.  
> > 
> > I'll do and propose the new version soon.  
> 
> Thanks!
> 

I pushed a new version of the patch this monday. I suppose that it is
waiting for approval.

Best regards
José Bollo

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[wenzong fan]

Hi José Bollo,

This will override the labels of user's home directories that set by 
SELinux.

For example, if I run below command on SELinux enabled system:

$ useradd test

SELinux will label it as "user_u:object_r:user_home_dir_t:SystemLow" 
first, and then useradd will reset the label as 
"system_u:object_r:etc_t:SystemLow".

I got strace logs below:

723   openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", 
O_RDWR|O_CLOEXEC) = 11
723   write(11, "user_u:object_r:user_home_dir_t:"..., 35) = 35 

723   close(11)                         = 0
723   mkdir("/home/t1", 000)            = 0
723   chown("/home/t1", 1000, 1000)     = 0
723   chmod("/home/t1", 0755)           = 0

# SELinux labelled it as "user_home_dir_t" here.

723   llistxattr("/etc/skel", NULL, 0)  = 17
723   llistxattr("/etc/skel", "security.selinux\0", 17) = 17
723   openat(AT_FDCWD, "/etc/xattr.conf", O_RDONLY) = -1 ENOENT (No such 
file or directory)
723   lgetxattr("/etc/skel", "security.selinux", NULL, 0) = 27
723   lgetxattr("/etc/skel", "security.selinux", 
"system_u:object_r:etc_t:s0", 27) = 27
723   lsetxattr("/home/t1", "security.selinux", 
"system_u:object_r:etc_t:s0", 27, 0) = 0

# useradd reset the label as "etc_t" here.

Do you agree to move the patch to Smack specific layer? Such as 
meta-security?

Thanks
Wenzong

On 03/15/2017 04:04 PM, José Bollo wrote:
> On Thu, 09 Mar 2017 18:18:05 +0100
> Patrick Ohly <patrick.ohly@intel.com> wrote:
> 
>> On Thu, 2017-03-09 at 17:48 +0100, José Bollo wrote:
>>> On Thu, 09 Mar 2017 17:07:54 +0100
>>> Patrick Ohly <patrick.ohly@intel.com> wrote:
>>>> Can't you reorder and rebase the patches so that this
>>>> 0001-useradd.c-create-parent-directories-when-necessary.patch
>>>> applies on top of the patch which was submitted upstream?
>>>
>>> I agree that it would be better to reorder. Better but less
>>> conservative because an existing patch must be upgraded.
>>
>> If upstream merges the proposed patch, then rebasing will be
>> inevitable at some point, so we might as well do the cleaner solution
>> now, even if the diff becomes larger.
>>
>>>> "devtool modify shadow-native" might be useful for that. "git
>>>> rebase -i" in workspace/sources/shadow-native", then finish with
>>>> "devtool update-recipe shadow-native". I haven't tried whether
>>>> "update-recipe" handles re-ordering patches. If it doesn't, just
>>>> fix it manually.
>>>
>>> I'll do and propose the new version soon.
>>
>> Thanks!
>>
> 
> I pushed a new version of the patch this monday. I suppose that it is
> waiting for approval.
> 
> Best regards
> José Bollo
> 

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[wenzong fan]

On 01/04/2018 05:28 PM, wenzong fan wrote:
> Hi José Bollo,
> 
> This will override the labels of user's home directories that set by 
> SELinux.
> 
> For example, if I run below command on SELinux enabled system:
> 
> $ useradd test
> 

Sorry for the typo: s/test/t1/g to match with strace logs.

// Wenzong

> SELinux will label it as "user_u:object_r:user_home_dir_t:SystemLow" 
> first, and then useradd will reset the label as 
> "system_u:object_r:etc_t:SystemLow".
> 
> I got strace logs below:
> 
> 723   openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", 
> O_RDWR|O_CLOEXEC) = 11
> 723   write(11, "user_u:object_r:user_home_dir_t:"..., 35) = 35
> 723   close(11)                         = 0
> 723   mkdir("/home/t1", 000)            = 0
> 723   chown("/home/t1", 1000, 1000)     = 0
> 723   chmod("/home/t1", 0755)           = 0
> 
> # SELinux labelled it as "user_home_dir_t" here.
> 
> 723   llistxattr("/etc/skel", NULL, 0)  = 17
> 723   llistxattr("/etc/skel", "security.selinux\0", 17) = 17
> 723   openat(AT_FDCWD, "/etc/xattr.conf", O_RDONLY) = -1 ENOENT (No such 
> file or directory)
> 723   lgetxattr("/etc/skel", "security.selinux", NULL, 0) = 27
> 723   lgetxattr("/etc/skel", "security.selinux", 
> "system_u:object_r:etc_t:s0", 27) = 27
> 723   lsetxattr("/home/t1", "security.selinux", 
> "system_u:object_r:etc_t:s0", 27, 0) = 0
> 
> # useradd reset the label as "etc_t" here.
> 
> Do you agree to move the patch to Smack specific layer? Such as 
> meta-security?
> 
> Thanks
> Wenzong
> 
> On 03/15/2017 04:04 PM, José Bollo wrote:
>> On Thu, 09 Mar 2017 18:18:05 +0100
>> Patrick Ohly <patrick.ohly@intel.com> wrote:
>>
>>> On Thu, 2017-03-09 at 17:48 +0100, José Bollo wrote:
>>>> On Thu, 09 Mar 2017 17:07:54 +0100
>>>> Patrick Ohly <patrick.ohly@intel.com> wrote:
>>>>> Can't you reorder and rebase the patches so that this
>>>>> 0001-useradd.c-create-parent-directories-when-necessary.patch
>>>>> applies on top of the patch which was submitted upstream?
>>>>
>>>> I agree that it would be better to reorder. Better but less
>>>> conservative because an existing patch must be upgraded.
>>>
>>> If upstream merges the proposed patch, then rebasing will be
>>> inevitable at some point, so we might as well do the cleaner solution
>>> now, even if the diff becomes larger.
>>>
>>>>> "devtool modify shadow-native" might be useful for that. "git
>>>>> rebase -i" in workspace/sources/shadow-native", then finish with
>>>>> "devtool update-recipe shadow-native". I haven't tried whether
>>>>> "update-recipe" handles re-ordering patches. If it doesn't, just
>>>>> fix it manually.
>>>>
>>>> I'll do and propose the new version soon.
>>>
>>> Thanks!
>>>
>>
>> I pushed a new version of the patch this monday. I suppose that it is
>> waiting for approval.
>>
>> Best regards
>> José Bollo
>>
> 

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[José Bollo]

On Thu, 4 Jan 2018 17:28:27 +0800
wenzong fan <wenzong.fan@windriver.com> wrote:

> Hi José Bollo,
> 
> This will override the labels of user's home directories that set by 
> SELinux.
> 
> For example, if I run below command on SELinux enabled system:
> 
> $ useradd test
> 
> SELinux will label it as "user_u:object_r:user_home_dir_t:SystemLow" 
> first, and then useradd will reset the label as 
> "system_u:object_r:etc_t:SystemLow".
> 
> I got strace logs below:
> 
> 723   openat(AT_FDCWD, "/proc/thread-self/attr/fscreate", 
> O_RDWR|O_CLOEXEC) = 11
> 723   write(11, "user_u:object_r:user_home_dir_t:"..., 35) = 35 
> 
> 723   close(11)                         = 0
> 723   mkdir("/home/t1", 000)            = 0
> 723   chown("/home/t1", 1000, 1000)     = 0
> 723   chmod("/home/t1", 0755)           = 0
> 
> # SELinux labelled it as "user_home_dir_t" here.
> 
> 723   llistxattr("/etc/skel", NULL, 0)  = 17
> 723   llistxattr("/etc/skel", "security.selinux\0", 17) = 17
> 723   openat(AT_FDCWD, "/etc/xattr.conf", O_RDONLY) = -1 ENOENT (No
> such file or directory)
> 723   lgetxattr("/etc/skel", "security.selinux", NULL, 0) = 27
> 723   lgetxattr("/etc/skel", "security.selinux", 
> "system_u:object_r:etc_t:s0", 27) = 27
> 723   lsetxattr("/home/t1", "security.selinux", 
> "system_u:object_r:etc_t:s0", 27, 0) = 0
> 
> # useradd reset the label as "etc_t" here.
> 
> Do you agree to move the patch to Smack specific layer? Such as 
> meta-security?

I agree.

SELinux is the king of monsters and pushes others in corners...

Best regards
José

> Thanks
> Wenzong
> 
> On 03/15/2017 04:04 PM, José Bollo wrote:
> > On Thu, 09 Mar 2017 18:18:05 +0100
> > Patrick Ohly <patrick.ohly@intel.com> wrote:
> >   
> >> On Thu, 2017-03-09 at 17:48 +0100, José Bollo wrote:  
> >>> On Thu, 09 Mar 2017 17:07:54 +0100
> >>> Patrick Ohly <patrick.ohly@intel.com> wrote:  
> >>>> Can't you reorder and rebase the patches so that this
> >>>> 0001-useradd.c-create-parent-directories-when-necessary.patch
> >>>> applies on top of the patch which was submitted upstream?  
> >>>
> >>> I agree that it would be better to reorder. Better but less
> >>> conservative because an existing patch must be upgraded.  
> >>
> >> If upstream merges the proposed patch, then rebasing will be
> >> inevitable at some point, so we might as well do the cleaner
> >> solution now, even if the diff becomes larger.
> >>  
> >>>> "devtool modify shadow-native" might be useful for that. "git
> >>>> rebase -i" in workspace/sources/shadow-native", then finish with
> >>>> "devtool update-recipe shadow-native". I haven't tried whether
> >>>> "update-recipe" handles re-ordering patches. If it doesn't, just
> >>>> fix it manually.  
> >>>
> >>> I'll do and propose the new version soon.  
> >>
> >> Thanks!
> >>  
> > 
> > I pushed a new version of the patch this monday. I suppose that it
> > is waiting for approval.
> > 
> > Best regards
> > José Bollo
> >   

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[Patrick Ohly]

On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote:
> > Do you agree to move the patch to Smack specific layer? Such as 
> > meta-security?
> 
> I agree.

Layers like meta-security should not modify recipes from other layers,
at least not by default. That would violate the "Yocto Compatible 2.0"
rules.

Besides, it would be harder to maintain in a separate layer - for the
maintainer of that layer.

I still think this patch belong into OE-core, even though it is then
more work for the OE-core maintainer.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[wenzong fan]

On 01/04/2018 06:41 PM, Patrick Ohly wrote:
> On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote:
>>> Do you agree to move the patch to Smack specific layer? Such as
>>> meta-security?
>>
>> I agree.
> 
> Layers like meta-security should not modify recipes from other layers,
> at least not by default. That would violate the "Yocto Compatible 2.0"
> rules.
> 
> Besides, it would be harder to maintain in a separate layer - for the
> maintainer of that layer.
> 
> I still think this patch belong into OE-core, even though it is then
> more work for the OE-core maintainer.
> 

If so, I think we should wrapper the logic with:

+#if defined(WITH_ATTR) && !defined(WITH_SELINUX)
+      attr_copy_file (def_template, user_home, NULL, NULL);
+#endif

Or just add a new condition like WITH_SMACK or something.

Thanks
Wenzong

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[Patrick Ohly]

On Thu, 2018-01-04 at 19:39 +0800, wenzong fan wrote:
> If so, I think we should wrapper the logic with:
> 
> +#if defined(WITH_ATTR) && !defined(WITH_SELINUX)
> +      attr_copy_file (def_template, user_home, NULL, NULL);
> +#endif

Does attr_copy_file fail when SELinux is active? In other words, why
should it be disabled when using SELinux?

File capabilities are also stored in xattrs. It might be relevant to
copy those when using SELinux. Or do I miss something?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[Fan, Wenzong]

It works and will override the labels of home dir that SELinux applied, that's the issue.

For SELinux enabled system, the user's home dir should have lavel 'user_home_dir_t' instead of 'etc_t', it prevents users from creating files in their home dir.

Thanks
Wenzong
________________________________________
From: Patrick Ohly [patrick.ohly@intel.com]
Sent: Thursday, January 04, 2018 7:50 PM
To: Fan, Wenzong; José Bollo
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

On Thu, 2018-01-04 at 19:39 +0800, wenzong fan wrote:
> If so, I think we should wrapper the logic with:
>
> +#if defined(WITH_ATTR) && !defined(WITH_SELINUX)
> +      attr_copy_file (def_template, user_home, NULL, NULL);
> +#endif

Does attr_copy_file fail when SELinux is active? In other words, why
should it be disabled when using SELinux?

File capabilities are also stored in xattrs. It might be relevant to
copy those when using SELinux. Or do I miss something?

--
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[Patrick Ohly]

On Fri, 2018-01-05 at 01:07 +0000, Fan, Wenzong wrote:
> It works and will override the labels of home dir that SELinux
> applied, that's the issue.
> 
> For SELinux enabled system, the user's home dir should have lavel
> 'user_home_dir_t' instead of 'etc_t', it prevents users from creating
> files in their home dir.

Sounds like the "copy xattr" function needs to become a bit smarter: it
needs to understand some of the semantic involved and skip those
SELinux xattrs that are always meant to be set dynamically by the
running kernel.

Wenzong, which xattrs are those? Do you agree with the proposed
solution?

Jose, can you look into updating your patch accordingly?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[wenzong fan]

On 01/10/2018 01:01 AM, Patrick Ohly wrote:
> On Fri, 2018-01-05 at 01:07 +0000, Fan, Wenzong wrote:
>> It works and will override the labels of home dir that SELinux
>> applied, that's the issue.
>>
>> For SELinux enabled system, the user's home dir should have lavel
>> 'user_home_dir_t' instead of 'etc_t', it prevents users from creating
>> files in their home dir.
> 
> Sounds like the "copy xattr" function needs to become a bit smarter: it
> needs to understand some of the semantic involved and skip those
> SELinux xattrs that are always meant to be set dynamically by the
> running kernel.
> 
> Wenzong, which xattrs are those? Do you agree with the proposed
> solution?

The xattr for selinux is "security.selinux":

$ getfattr -n security.selinux /home/t1
security.selinux="user_u:object_r:user_home_dir_t:s0-s15:c0.c1023"

I think the "attr_copy_file()" is doing right thing, but it should be 
used in a limited situation, such as only for Smack ...

Thanks
Wenzong

> 
> Jose, can you look into updating your patch accordingly?
> 

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[José Bollo]

On Wed, 10 Jan 2018 17:50:19 +0800
wenzong fan <wenzong.fan@windriver.com> wrote:

> On 01/10/2018 01:01 AM, Patrick Ohly wrote:
> > On Fri, 2018-01-05 at 01:07 +0000, Fan, Wenzong wrote:  
> >> It works and will override the labels of home dir that SELinux
> >> applied, that's the issue.
> >>
> >> For SELinux enabled system, the user's home dir should have lavel
> >> 'user_home_dir_t' instead of 'etc_t', it prevents users from
> >> creating files in their home dir.  
> > 
> > Sounds like the "copy xattr" function needs to become a bit
> > smarter: it needs to understand some of the semantic involved and
> > skip those SELinux xattrs that are always meant to be set
> > dynamically by the running kernel.
> > 
> > Wenzong, which xattrs are those? Do you agree with the proposed
> > solution?  
> 
> The xattr for selinux is "security.selinux":
> 
> $ getfattr -n security.selinux /home/t1
> security.selinux="user_u:object_r:user_home_dir_t:s0-s15:c0.c1023"
> 
> I think the "attr_copy_file()" is doing right thing, but it should be 
> used in a limited situation, such as only for Smack ...
> 
> Thanks
> Wenzong

The LSM "SELinux" is complicated enough to change label of template
files to label of instance files correctly. The approach with Smack is
different and the template files embed the expected complex hierarchy
that otherwise could only be created with a program.

A possible approach would be with smack to add a program for creating
homes. Conversely, SELinux could consider to use template approach too
instead of increasing its rules set (with templating splitted in two
parts: files and "creation" rules).

From "man 7 xattr" we know:
 - extended attributes are namespaced
 - the fully qualified name is "namespace.attribute"
 - actual namespaces are security, system, trusted, and user

A possibility would be to filter the copied extended attributes. For
SELinux we can just tell to not copy "security" attributes. See
manual of the command "tar" (recent version) that has options
--xattrs-exclude and --xattr-include.

Is there a need to copy extended attributes except for Smack?

> > Jose, can you look into updating your patch accordingly?

Perhaps yes but not now because I don't now what to do.

Best regards
Jose

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[Patrick Ohly]

On Mon, 2018-01-15 at 15:33 +0100, José Bollo wrote:
> A possibility would be to filter the copied extended attributes. For
> SELinux we can just tell to not copy "security" attributes. See
> manual of the command "tar" (recent version) that has options
> --xattrs-exclude and --xattr-include.
> 
> Is there a need to copy extended attributes except for Smack?

In theory file-based capabilities. In practice those probably don't
occur in a home directory template.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[wenzong fan]

On 01/15/2018 10:33 PM, José Bollo wrote:
> On Wed, 10 Jan 2018 17:50:19 +0800
> wenzong fan <wenzong.fan@windriver.com> wrote:
> 
>> On 01/10/2018 01:01 AM, Patrick Ohly wrote:
>>> On Fri, 2018-01-05 at 01:07 +0000, Fan, Wenzong wrote:
>>>> It works and will override the labels of home dir that SELinux
>>>> applied, that's the issue.
>>>>
>>>> For SELinux enabled system, the user's home dir should have lavel
>>>> 'user_home_dir_t' instead of 'etc_t', it prevents users from
>>>> creating files in their home dir.
>>>
>>> Sounds like the "copy xattr" function needs to become a bit
>>> smarter: it needs to understand some of the semantic involved and
>>> skip those SELinux xattrs that are always meant to be set
>>> dynamically by the running kernel.
>>>
>>> Wenzong, which xattrs are those? Do you agree with the proposed
>>> solution?
>>
>> The xattr for selinux is "security.selinux":
>>
>> $ getfattr -n security.selinux /home/t1
>> security.selinux="user_u:object_r:user_home_dir_t:s0-s15:c0.c1023"
>>
>> I think the "attr_copy_file()" is doing right thing, but it should be
>> used in a limited situation, such as only for Smack ...
>>
>> Thanks
>> Wenzong
> 
> The LSM "SELinux" is complicated enough to change label of template
> files to label of instance files correctly. The approach with Smack is
> different and the template files embed the expected complex hierarchy
> that otherwise could only be created with a program.
> 
> A possible approach would be with smack to add a program for creating
> homes. Conversely, SELinux could consider to use template approach too
> instead of increasing its rules set (with templating splitted in two
> parts: files and "creation" rules).
> 
>>From "man 7 xattr" we know:
>   - extended attributes are namespaced
>   - the fully qualified name is "namespace.attribute"
>   - actual namespaces are security, system, trusted, and user
> 
> A possibility would be to filter the copied extended attributes. For
> SELinux we can just tell to not copy "security" attributes. See
> manual of the command "tar" (recent version) that has options
> --xattrs-exclude and --xattr-include.
> 
> Is there a need to copy extended attributes except for Smack?

I incline to limit the patch only for Smack with a proper bbappend, and 
maybe we'll want a distro feature as well. Both enable SELinux and Smack 
is not a normal use case, sometimes user choice Smack is because SELinux 
is too weight for their system. (except for you know a case that Smack 
can do but SELinux can't)

About how to get Smack and SELinux work together, I'm not sure if their 
communities also considered about that. Only fix the xattr issue maybe 
not enough ...

Thanks
Wenzong

> 
>>> Jose, can you look into updating your patch accordingly?
> 
> Perhaps yes but not now because I don't now what to do.
> 
> Best regards
> Jose
> 

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[Mark Hatle]

On 1/4/18 4:41 AM, Patrick Ohly wrote:
> On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote:
>>> Do you agree to move the patch to Smack specific layer? Such as 
>>> meta-security?
>>
>> I agree.
> 
> Layers like meta-security should not modify recipes from other layers,
> at least not by default. That would violate the "Yocto Compatible 2.0"
> rules.

You can modify (bbappend) to an existing recipe.  You can't change the behavior
(specifically the md5sum) of the function though, unless that new functionality
is enabled.)

This is why we added an 'selinux' distro_feature.  The selinux layer does not
modify behavior (via bbappend) unless selinux distro is enabled.

'smack' should be able to do the same thing, with a similar distro feature.

--Mark

> Besides, it would be harder to maintain in a separate layer - for the
> maintainer of that layer.
> 
> I still think this patch belong into OE-core, even though it is then
> more work for the OE-core maintainer.
> 

Re: [PATCH] shadow: 'useradd' copies root's extended attributes

[Patrick Ohly]

On Tue, 2018-01-09 at 11:51 -0600, Mark Hatle wrote:
> On 1/4/18 4:41 AM, Patrick Ohly wrote:
> > On Thu, 2018-01-04 at 11:18 +0100, José Bollo wrote:
> > > > Do you agree to move the patch to Smack specific layer? Such
> > > > as 
> > > > meta-security?
> > > 
> > > I agree.
> > 
> > Layers like meta-security should not modify recipes from other
> > layers,
> > at least not by default. That would violate the "Yocto Compatible
> > 2.0"
> > rules.
> 
> You can modify (bbappend) to an existing recipe.  You can't change
> the behavior
> (specifically the md5sum) of the function though, unless that new
> functionality
> is enabled.)

That's what I meant with "by default".

> 'smack' should be able to do the same thing, with a similar distro
> feature.

I'm not convinced that building core components differently depending
on such distro features is desirable, because it makes "smack" and
"selinux" mutually exclusive. I'd prefer a solution where support for
both can be enabled and then on the image itself the tools decide what
to do. Whether that's always possible of course is a different
question.

In this case I think it is, by adding the exception for
security.selinux. But I'll leave that up to you and Jose to decide.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

[PATCH] shadow: 'useradd' copies root's extended attributes

[jobol]

From: José Bollo <jose.bollo@iot.bzh>

The copy of extended attributes is interesting for
Smack systems because it allows to set the security
template of the user's home directories without
modifying the tools (useradd here). But the version
of useradd that copies the extended attributes doesn't
copy the extended attributes of the root. This can make
use of homes impossible! This patch corrects the issue
by copying the extended attributes of the root directory:
/home/user will get the extended attributes of /etc/skel.

The patch is submitted upstream (see
http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html)

The existing patch specific to open-embedded is updated:
  0001-useradd.c-create-parent-directories-when-necessary.patch

Also, attr are activated for native tools.
This is needed when users are created during image creation.

Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---
 ...-useradd-copy-extended-attributes-of-home.patch | 47 ++++++++++++++++++++++
 ...-create-parent-directories-when-necessary.patch | 10 ++++-
 .../allow-for-setting-password-in-clear-text.patch |  8 ++--
 meta/recipes-extended/shadow/shadow.inc            |  3 +-
 4 files changed, 61 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch

diff --git a/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
new file mode 100644
index 0000000..60a46e1
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
@@ -0,0 +1,47 @@
+From acec93540eba6899661c607408498ac72ab07a47 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Tue, 7 Mar 2017 16:03:03 +0100
+Subject: [PATCH] useradd: copy extended attributes of home
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The Home directory wasn't getting the extended attributes
+of /etc/skel. This patch fixes that issue and adds the copy
+of the extended attributes of the root of the home directory.
+
+Upstream-Status: Submitted [http://lists.alioth.debian.org/pipermail/pkg-shadow-commits/2017-March/003804.html]
+
+Change-Id: Icd633f7c6c494efd2a30cb8f04c306f749ad0c3b
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/useradd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index a8a1f76..8aefb9c 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -52,6 +52,9 @@
+ #include <sys/stat.h>
+ #include <sys/types.h>
+ #include <time.h>
++#ifdef WITH_ATTR
++#include <attr/libattr.h>
++#endif
+ #include "chkname.h"
+ #include "defines.h"
+ #include "faillog.h"
+@@ -1915,6 +1918,9 @@ static void create_home (void)
+ 		chown (user_home, user_id, user_gid);
+ 		chmod (user_home,
+ 		       0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
++#ifdef WITH_ATTR
++		attr_copy_file (def_template, user_home, NULL, NULL);
++#endif
+ 		home_added = true;
+ #ifdef WITH_AUDIT
+ 		audit_logger (AUDIT_ADD_USER, Prog,
+-- 
+2.9.3
+
diff --git a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch
index 85dde8e..2f084b4 100644
--- a/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch
+++ b/meta/recipes-extended/shadow/files/0001-useradd.c-create-parent-directories-when-necessary.patch
@@ -11,7 +11,7 @@ diff --git a/src/useradd.c b/src/useradd.c
 index 4bd969d..cb5dd6c 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
-@@ -1893,6 +1893,35 @@ static void usr_update (void)
+@@ -1896,6 +1896,35 @@ static void usr_update (void)
  }
  
  /*
@@ -47,7 +47,7 @@ index 4bd969d..cb5dd6c 100644
   * create_home - create the user's home directory
   *
   *	create_home() creates the user's home directory if it does not
-@@ -1907,36 +1936,33 @@ static void create_home (void)
+@@ -1910,39 +1939,36 @@ static void create_home (void)
  			fail_exit (E_HOMEDIR);
  		}
  #endif
@@ -67,6 +67,9 @@ index 4bd969d..cb5dd6c 100644
 -		chown (user_home, user_id, user_gid);
 -		chmod (user_home,
 -		       0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+-#ifdef WITH_ATTR
+-		attr_copy_file (def_template, user_home, NULL, NULL);
+-#endif
 -		home_added = true;
 +		mkdir_p(user_home);
 +	}
@@ -88,6 +91,9 @@ index 4bd969d..cb5dd6c 100644
 +	chown (user_home, user_id, user_gid);
 +	chmod (user_home,
 +	       0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
++#ifdef WITH_ATTR
++	attr_copy_file (def_template, user_home, NULL, NULL);
++#endif
 +	home_added = true;
 +#ifdef WITH_AUDIT
 +	audit_logger (AUDIT_ADD_USER, Prog,
diff --git a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
index 68da25f..615c6e0 100644
--- a/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
+++ b/meta/recipes-extended/shadow/files/allow-for-setting-password-in-clear-text.patch
@@ -118,7 +118,7 @@ diff --git a/src/useradd.c b/src/useradd.c
 index b3bd451..4416f90 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
-@@ -773,6 +773,7 @@ static void usage (int status)
+@@ -776,6 +776,7 @@ static void usage (int status)
  	(void) fputs (_("  -o, --non-unique              allow to create users with duplicate\n"
  	                "                                (non-unique) UID\n"), usageout);
  	(void) fputs (_("  -p, --password PASSWORD       encrypted password of the new account\n"), usageout);
@@ -126,7 +126,7 @@ index b3bd451..4416f90 100644
  	(void) fputs (_("  -r, --system                  create a system account\n"), usageout);
  	(void) fputs (_("  -R, --root CHROOT_DIR         directory to chroot into\n"), usageout);
  	(void) fputs (_("  -s, --shell SHELL             login shell of the new account\n"), usageout);
-@@ -1047,6 +1048,7 @@ static void process_flags (int argc, char **argv)
+@@ -1050,6 +1051,7 @@ static void process_flags (int argc, char **argv)
  			{"no-user-group",  no_argument,       NULL, 'N'},
  			{"non-unique",     no_argument,       NULL, 'o'},
  			{"password",       required_argument, NULL, 'p'},
@@ -134,7 +134,7 @@ index b3bd451..4416f90 100644
  			{"system",         no_argument,       NULL, 'r'},
  			{"root",           required_argument, NULL, 'R'},
  			{"shell",          required_argument, NULL, 's'},
-@@ -1059,9 +1061,9 @@ static void process_flags (int argc, char **argv)
+@@ -1062,9 +1064,9 @@ static void process_flags (int argc, char **argv)
  		};
  		while ((c = getopt_long (argc, argv,
  #ifdef WITH_SELINUX
@@ -146,7 +146,7 @@ index b3bd451..4416f90 100644
  #endif				/* !WITH_SELINUX */
  		                         long_options, NULL)) != -1) {
  			switch (c) {
-@@ -1227,6 +1229,9 @@ static void process_flags (int argc, char **argv)
+@@ -1230,6 +1232,9 @@ static void process_flags (int argc, char **argv)
  				}
  				user_pass = optarg;
  				break;
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index e59ff64..25283a9 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -15,6 +15,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
            file://fix-installation-failure-with-subids-disabled.patch \
            file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
            file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
+           file://0001-useradd-copy-extended-attributes-of-home.patch \
            ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
            "
 
@@ -76,7 +77,7 @@ PAM_PLUGINS = "libpam-runtime \
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
                    ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}"
-PACKAGECONFIG_class-native = ""
+PACKAGECONFIG_class-native ??= "${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)}"
 PACKAGECONFIG_class-nativesdk = ""
 PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}"
 PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr"
-- 
2.9.3