OXT-1696: refpolicy: General cleaning of the recipe and patches.#1270
OXT-1696: refpolicy: General cleaning of the recipe and patches.#1270jean-edouard merged 10 commits intoOpenXT:masterfrom
Conversation
|
Can we tag this PR with the ticket number for OE uprev and/or BATS improvements? |
eric-ch
force-pushed
the
refpolicy-cleanup-0
branch
from
b45f267 to
c7454be
Compare
eric-ch
changed the title
jandryuk
left a comment
jandryuk
left a comment
There was a problem hiding this comment.
Generally looks good. +370, -1321 is a nice diff stat.
| # stack smashing protection. All domains will | ||
| # be allowed to read from /dev/urandom. | ||
| # | ||
| global_ssp = false |
There was a problem hiding this comment.
I think we want global_ssp = true. That's what policy.booleans.diff was setting.
There was a problem hiding this comment.
I thought I commented on that in the commit message, I'll amend that.
global_ssp documentation says:
This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection.
It does not appear to be the case in our builds (could not find -fstack-protector*), which matches the absence of new AVCs with that Boolean set to false.
That being said, giving read permissions to /dev/urandom to all domains should not be a huge risk either. So I can switch it back and have another PR to have stack protection enabled for OpenXT machines.
There was a problem hiding this comment.
During the 64bit conversion, there were a bunch of patches proposed ad-hoc adding /dev/random & /dev/urandom permissions. I submitted f52432c to avoid all the manual additions. I assumed the 64bit conversion was flipping on something that was requiring the use of urandom
Looking back at #1101, it was quark which was reading /dev/urandom. That was probably indirectly through OpenSSL. And quark was never included. I thought there was another one, but I haven't looked hard.
If the policy works with global_ssp = false then your change is fine.
(... should really enable -fstack-protector....)
There was a problem hiding this comment.
(Yes, we should) Fortunately this is made easy by OE. I'll open a PR after running a test build.
There was a problem hiding this comment.
I have a test build running as well. :)
eric-ch
force-pushed
the
refpolicy-cleanup-0
branch
from
c7454be to
5010a98
Compare
V2:
|
eric-ch
force-pushed
the
refpolicy-cleanup-0
branch
from
5010a98 to
8b67651
Compare
No functional change. The patches mentioned no longer exist. Signed-off-by: Eric Chanudet <chanudete@ainfosec.com> OXT-1696
booleans.conf and modules.conf are updated by the build-system during make conf. This is done in do_compile just before make policy by the meta-selinux policy. Since OpenXT adds policy modules for its components, keep the split configuration file (upstream vs openxt) using the same prefix and iterate over the configuration files that can be provided by the layer. The configuration files created are modules.conf and booleans.conf. Only copy the 'policy/modules' directory from the layer to avoid accidental overwrites. Signed-off-by: Eric Chanudet <chanudete@ainfosec.com> OXT-1696
The upstream policy passes POLICY_* variables to EXTRA_OEMAKE to configure the build.conf of the policy. The current patch does not completely match the policy configuration passed in the recipe either. Signed-off-by: Eric Chanudet <chanudete@ainfosec.com> OXT-1696
vgmch is a deprecated feature of Surfman from XenClient that is no longer shipped or available in OpenXT. Remove the associated SELinux module. Signed-off-by: Eric Chanudet <chanudete@ainfosec.com> OXT-1696
get-edid and igfx_edid are two tools from XenClient retired in OpenXT. Remove the associated policy module. Signed-off-by: Eric Chanudet <chanudete@ainfosec.com> OXT-1696
HTML documentation is not installed. Changing tc_sbindir is not required, the upstream recipe seems to deal fine without this patch. Signed-off-by: Eric Chanudet <chanudete@ainfosec.com> OXT-1696
Documentation of the refpolicy generates an xml file. <tag> will create a new XML tag that will lack any closure, which in turn fails to generate a valid policy.xml file. Signed-off-by: Eric Chanudet <chanudete@ainfosec.com> OXT-1696
This policy module duplicates the upstream tboot. Signed-off-by: Eric Chanudet <chanudete@ainfosec.com> OXT-1696
Apply standard: https://openxt.atlassian.net/wiki/spaces/DC/pages/20905986/Dealing+with+quilt No functional change. Signed-off-by: Eric Chanudet <chanudete@ainfosec.com> OXT-1696
SSP does not appear to be enabled by default, so global_ssp can be switched to false until it is. Signed-off-by: Eric Chanudet <chanudete@ainfosec.com> OXT-1697
eric-ch
force-pushed
the
refpolicy-cleanup-0
branch
from
8b67651 to
3f22371
Compare
V3:
|
4 participants
While working on #1259 and upgrading the OE layer. Some changes in the refpolicy recipe from xenclient-oe seems to be shared.
modules.confandbooleans.conf). This lets derived policy configure, from the layer, which module to include in the built policy and switch booleans.vgmch,txtstat,get-edid.