From 13e401a61631523602dac1cde6098ba347830182 Mon Sep 17 00:00:00 2001 From: adrian15 Date: Sat, 13 Jul 2024 12:24:50 +0200 Subject: [PATCH] Add SELinux support Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). This commit: - Adds extended attributes to the squashfs filesystem so that SELinux can be properly supported - Adds the needed SELinux packages so that SELinux can work in the squashfs Debian GNU/Linux system - Adds the proper kernel command line parametres to enable SELinux according to the chosen enforced or permissive mode. All of that combined let's you either: - Harden your live system ( `--selinux enforced` ) - Enables you to interact with other SELinux filesystems without hardening the live system ( `--selinux permissive` ). - enforced mode means that the system will not allow a program/process to interact with a file with which it does not have the proper filesystem permission (based on SELinux extended attributes). - permissive mode means that the system will allow program/process to interact with a file with which it does not have the proper filesystem permission (based on SELinux extended attributes). This SELinux policy infrigenment will be logged though so that it can be properly fixed if needed. Default mode is `disable`. --- functions/configuration.sh | 40 +++++++++++++++++++++++++++ manpages/en/lb_config.1 | 4 +++ scripts/build/binary_rootfs | 42 +++++++++++++++++++++++++++++ scripts/build/chroot | 1 + scripts/build/chroot_selinux | 52 ++++++++++++++++++++++++++++++++++++ scripts/build/config | 11 +++++++- 6 files changed, 149 insertions(+), 1 deletion(-) create mode 100755 scripts/build/chroot_selinux diff --git a/functions/configuration.sh b/functions/configuration.sh index 1584fff52..4dd1be6b8 100755 --- a/functions/configuration.sh +++ b/functions/configuration.sh @@ -403,6 +403,30 @@ Prepare_config () ;; esac + LB_SELINUX="${LB_SELINUX:-disable}" + + case "${LB_SELINUX}" in + enforced) + SELINUX_ENFORCED_CMDLINE="selinux=1 security=selinux enforcing=1" + if ! echo "${LB_BOOTAPPEND_LIVE}" | grep -q "${SELINUX_ENFORCED_CMDLINE}" + then + LB_BOOTAPPEND_LIVE="${LB_BOOTAPPEND_LIVE} ${SELINUX_ENFORCED_CMDLINE}" + fi + ;; + + permissive) + SELINUX_PERMISSIVE_CMDLINE="selinux=1 security=selinux enforcing=0" + if ! echo "${LB_BOOTAPPEND_LIVE}" | grep -q "${SELINUX_PERMISSIVE_CMDLINE}" + then + LB_BOOTAPPEND_LIVE="${LB_BOOTAPPEND_LIVE} ${SELINUX_PERMISSIVE_CMDLINE}" + fi + ;; + + disable) + ;; + + esac + local _LB_BOOTAPPEND_PRESEED if [ -n "${LB_DEBIAN_INSTALLER_PRESEEDFILE}" ] then @@ -740,6 +764,11 @@ Validate_config_permitted_values () exit 1 fi + if ! In_list "${LB_SELINUX}" enforced permissive disable; then + Echo_error "You have specified an invalid value for LB_SELINUX (--selinux)." + exit 1 + fi + if ! In_list "${LB_SOURCE_IMAGES}" iso netboot tar hdd; then Echo_error "You have specified an invalid value for LB_SOURCE_IMAGES (--source-images)." exit 1 @@ -802,6 +831,17 @@ Validate_config_dependencies () fi fi + if In_list "${LB_SELINUX}" permissive enforced; then + if [ "${LB_CHROOT_FILESYSTEM}" != "squashfs" ]; then + Echo_error "You have selected values of LB_SELINUX and LB_CHROOT_FILESYSTEM which are incompatible. SELinux only supports squashfs as the chroot filesystem." + exit 1 + fi + fi + + if [ "${LB_SELINUX}" = "enforced" ]; then + Echo_warning "A value of 'enforced' for option LB_SELINUX is known not to boot onto an usable Live CD." + fi + Validate_http_proxy } diff --git a/manpages/en/lb_config.1 b/manpages/en/lb_config.1 index c51d5781e..a157e59dd 100644 --- a/manpages/en/lb_config.1 +++ b/manpages/en/lb_config.1 @@ -205,6 +205,8 @@ [\fB\-\-quiet\fR] .br [\fB\-\-security\fR true|false] +.br + [\fB\-\-selinux\fR Ienforced|permissive|disable] .br [\fB\-\-source\fR true|false] .br @@ -438,6 +440,8 @@ sets the location of the mirror that will be used to fetch the debian installer reduces the verbosity of messages output by \fBlb build\fR. .IP "\fB\-\-security\fR true|false" 4 defines if the security repositories specified in the security mirror options should be used or not. +.IP "\fB\-\-selinux\fR \fIenforced|permissive|disable\fR" 4 +enables with enforcing or not Secure Enhanced Linux (SELinux). By default, this is set to disabled. .IP "\fB\-\-source\fR true|false" 4 defines if a corresponding source image to the binary image should be built. By default this is false because most people do not require this and it involves downloading quite a few source packages. However, if you distribute your live image to others, you should make sure you build it with a source image alongside to help enable you to comply with licensing terms. .IP "\fB\-s\fR|\fB\-\-source\-images\fR iso|netboot|tar|hdd" 4 diff --git a/scripts/build/binary_rootfs b/scripts/build/binary_rootfs index 080ee158e..cfea958b4 100755 --- a/scripts/build/binary_rootfs +++ b/scripts/build/binary_rootfs @@ -263,6 +263,16 @@ case "${LB_CHROOT_FILESYSTEM}" in squashfs) # Checking depends Check_package chroot /usr/share/doc/squashfs-tools squashfs-tools + case "${LB_SELINUX}" in + enforced|permissive) + Check_package host /sbin/setfiles policycoreutils + Check_package host /etc/selinux/default/contexts/files/file_contexts selinux-policy-default + ;; + + disable) + ;; + + esac # Restoring cache Restore_package_cache binary @@ -323,6 +333,16 @@ case "${LB_CHROOT_FILESYSTEM}" in MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}" fi + case "${LB_SELINUX}" in + enforced|permissive) + MKSQUASHFS_OPTIONS="-xattrs ${MKSQUASHFS_OPTIONS}" + ;; + + disable) + ;; + + esac + case "${LB_BUILD_WITH_CHROOT}" in true) if [ -e config/rootfs/excludes ] @@ -332,6 +352,17 @@ case "${LB_CHROOT_FILESYSTEM}" in MKSQUASHFS_OPTIONS="-wildcards -ef /excludes ${MKSQUASHFS_OPTIONS}" fi + case "${LB_SELINUX}" in + enforced|permissive) + # TODO: Since bookworm parallel relabelling with -T 0 is possible and faster + setfiles -F -r chroot/chroot /etc/selinux/default/contexts/files/file_contexts chroot/chroot + ;; + + disable) + ;; + + esac + # Create image Chroot chroot "nice -n 17 mksquashfs chroot filesystem.squashfs ${MKSQUASHFS_OPTIONS}" @@ -368,6 +399,17 @@ case "${LB_CHROOT_FILESYSTEM}" in MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}" fi + case "${LB_SELINUX}" in + enforced|permissive) + # TODO: Since bookworm parallel relabelling with -T 0 is possible and faster + setfiles -F -r chroot /etc/selinux/default/contexts/files/file_contexts chroot + ;; + + disable) + ;; + + esac + nice -n 19 mksquashfs chroot binary/${INITFS}/filesystem.squashfs ${MKSQUASHFS_OPTIONS} ;; esac diff --git a/scripts/build/chroot b/scripts/build/chroot index a0aa10be0..f66f0c6d0 100755 --- a/scripts/build/chroot +++ b/scripts/build/chroot @@ -37,6 +37,7 @@ lb chroot_prep install all mode-archives-chroot "${@}" lb chroot_linux-image "${@}" lb chroot_firmware "${@}" lb chroot_preseed "${@}" +lb chroot_selinux "${@}" lb chroot_includes_before_packages "${@}" for _PASS in install live; do diff --git a/scripts/build/chroot_selinux b/scripts/build/chroot_selinux new file mode 100755 index 000000000..c884928d9 --- /dev/null +++ b/scripts/build/chroot_selinux @@ -0,0 +1,52 @@ +#!/bin/sh + +## live-build(7) - System Build Scripts +## Copyright (C) 2016-2020 The Debian Live team +## Copyright (C) 2006-2015 Daniel Baumann +## +## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING. +## This is free software, and you are welcome to redistribute it +## under certain conditions; see COPYING for details. + + +set -e + +# Including common functions +[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh + +# Setting static variables +DESCRIPTION="Schedule SELinux packages for installation" +USAGE="${PROGRAM} [--force]" + +# Processing arguments and configuration files +Init_config_data "${@}" + +# Requiring stage file +Require_stagefiles config bootstrap + +case "${LB_SELINUX}" in + enforced|permissive) + Echo_message "Begin scheduling SELinux installation..." + + # Checking stage file + Check_stagefile + + # Acquire lock file + Acquire_lockfile + + SELINUX_CHROOT_PACKAGES="selinux-basics selinux-policy-default auditd" + + # Drop section and keep package names only + for _PACKAGE in ${SELINUX_CHROOT_PACKAGES} + do + echo $(echo ${_PACKAGE} | awk -F/ '{ print $NF }') >> chroot/root/packages.chroot + done + ;; + + disable) + ;; + +esac + +# Creating stage file +Create_stagefile diff --git a/scripts/build/config b/scripts/build/config index 8b8010acb..07c56f3c6 100755 --- a/scripts/build/config +++ b/scripts/build/config @@ -116,6 +116,7 @@ USAGE="${PROGRAM} [--apt apt|apt-get|aptitude]\n\ \t [--parent-mirror-debian-installer URL]\n\ \t [--quiet]\n\ \t [--security true|false]\n\ +\t [--selinux enforced|permissive|disable]\n\ \t [--source true|false]\n\ \t [-s|--source-images iso|netboot|tar|hdd]\n\ \t [--swap-file-path PATH]\n\ @@ -171,7 +172,7 @@ Local_arguments () parent-mirror-chroot:,parent-mirror-chroot-security:, parent-mirror-debian-installer:, quiet, - security:,source:,source-images:,swap-file-path:,swap-file-size:,system:, + security:,selinux:,source:,source-images:,swap-file-path:,swap-file-size:,system:, tasksel:, uefi-secure-boot:,updates:,utc-time:,usage, validate,verbose,version, @@ -780,6 +781,11 @@ Local_arguments () shift 2 ;; + --selinux) + LB_SELINUX="${2}" + shift 2 + ;; + --source) LB_SOURCE="${2}" shift 2 @@ -1311,6 +1317,9 @@ LB_SWAP_FILE_SIZE="${LB_SWAP_FILE_SIZE}" # Enable/disable UEFI secure boot support LB_UEFI_SECURE_BOOT="${LB_UEFI_SECURE_BOOT}" + +# Enforce/disable SELinux +LB_SELINUX="${LB_SELINUX}" EOF # Creating lb_source_* configuration