[yocto] [meta-selinux][PATCHv2 0/8] Label file system in build.
Philip Tricca
flihp at twobit.us
Mon Aug 10 22:40:52 PDT 2015
On 08/10/2015 09:10 PM, Philip Tricca wrote:
> On 08/08/2015 02:00 PM, Joe MacDonald wrote:
>> I'm sorry this has been in the merge queue for so long.
>
> Better late than never :)
>
>> I've merged it
>> after taking the policy updates from Shrikant and a few other small
>> patches that had been hanging around too. I didn't drop it on master
>> yet, though, since I wanted to give everyone else a little bit of time
>> to try it out (myself included, I'm finally able to come up for air on
>> some of the day job things :-)). Instead it is currently living on the
>> fs_label branch, but I rebased the patches on the current master HEAD
>> commit. That means, though, that if you get a chance I'd like to take a
>> look at the branch to ensure I didn't mangle your patch set too much.
>
> Will do.
Built and tested. Works as expected. There are a couple AVCs from
rpcbind related to stuff in /tmp but those are present in the master
branch so they're not related.
Philip
>> [[meta-selinux][PATCHv2 0/8] Label file system in build.] On 15.06.17 (Wed 15:30) Philip Tricca wrote:
>>
>>> This is the second version of a patch series that allows the file system
>>> of SELinux images to be labeled as part of the build process. This will
>>> allow SELinux images to boot read only file systems and remove the need to
>>> label the file system on first boot.
>>>
>>> To do this we must label the file system in the build as well as add
>>> support for extended attributes to the mke2fs utility in the e2fsprogs
>>> package. The first version of this patch series is here:
>>> https://lists.yoctoproject.org/pipermail/yocto/2015-June/025141.html
>>> The approach described in this previous RFC remains the same.
>>>
>>> Changes in v2:
>>> This second version has two significant changes: First I've done a bunch
>>> of cleanup. This includes work to make the descriptions in the patch
>>> headers / commit messages more exact as well as combining some commits
>>> with related functionality. Secondly I've reimplemented the xattr cache
>>> so that it actually works.
>>>
>>> I've made the patch headers as descriptive as possible and kept the git
>>> commit messages minimal. If the preference is for more verbose commit
>>> messages I'm happy to oblige if advised.
>>>
>>> The cache is just a single linked list that's searched for duplicates after
>>> the creation of each new xattr block. The previous implementation was similar
>>> but, aside from not working properly, it was overly complex in its attempt to
>>> keep the list sorted.
>>>
>>> Tests:
>>> To test this new implementation I used the core-image-selinux-minimal image
>>> from the unmodified master branch as a control. This image has 2536 unique
>>> file system objects including the root fs directory. The ext4 file system
>>> produced by the build has 71492 blocks with 13621 free.
>>>
>>> As an additional test I added the patches from this set WITHOUT the cache
>>> patches. This causes each file system object with an associated extended
>>> attribute to use up an additional block for the xattr. This should cause
>>> (hypothesis) the output file system to have 13621 - 2536 = 11085 free
>>> blocks. The build producing an ext4 file system with 71492 blocks and 11088
>>> free. That's an additional 2533 blocks used instead of the 2536 expected.
>>> These 3 missing xattr blocks can be accounted for in that there are 3
>>> unlabeled files in the file system.
>>>
>>> Introducing the cache allows files with identical xattr blocks to share
>>> them to reduce the number of used blocks. Since we're only storing SELinux
>>> labels in the xattrs we can say that every file with the same SELinux label
>>> should share an xattr block. Counting the unique SELinux labels on file
>>> objects we know that there are 83 in total. The second hypothesis we have
>>> to test then is that using the cache will reduce the number of used blocks
>>> from 2533 down to 83.
>>>
>>> Applying the patch that enables the cache produces a third and final ext4
>>> file system. This one again report 71492 total blocks but this time 13538
>>> free. This is 83 blocks fewer than the unlabled file system from the
>>> initial test as we expected. The code added by this patch set is also
>>> instrumented to count the objects in the cache when they're freed. With
>>> this debug output enabled it reports the same number of objects in the
>>> cache.
>>>
>>> From the test results I'm pretty confident that the cache functions as
>>> expected. It's still a very basic implementation but given the small
>>> number of unique SELinux labels in the reference file systems it's
>>> likely sufficient for a first version. Feedback / comments on both the
>>> implementation and testing approach would be appreciated.
>>>
>>> Regards,
>>> Philip
>>> ----
>>>
>>> Philip Tricca (8):
>>> policycoreutils: Patch setfiles to add FTS_NOCHDIR to fts_flags.
>>> selinux-image: Add new image class to label the rootfs, use it for
>>> selinux images.
>>> e2fsprogs: Add bbappend and stub for xattr module.
>>> e2fsprogs: Insert calls to xattr module into mke2fs and build xattr
>>> code.
>>> e2fsprogs: Add xattr security prefix data to
>>> lib/ext2fs/ext2_ext_attr.h
>>> e2fsprogs: Copy xattr block from source file.
>>> e2fsprogs: Add stub functions for an xattr cache and struct to hold
>>> the header and block data.
>>> e2fsprogs: Implement xattr block cache with simple linked list.
>>>
>>> classes/selinux-image.bbclass | 8 +
>>> ...ib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch | 20 ++
>>> .../misc-xattr-add-xattr-module-stub.patch | 57 ++++
>>> .../misc-xattr-create-xattr-block-node.patch | 175 +++++++++++
>>> .../e2fsprogs/misc-xattr-create-xattr-block.patch | 341 +++++++++++++++++++++
>>> .../e2fsprogs/misc-xattr-create-xattr-cache.patch | 181 +++++++++++
>>> .../mke2fs.c-create_inode.c-copy-xattrs.patch | 164 ++++++++++
>>> .../e2fsprogs/e2fsprogs_1.42.9.bbappend | 10 +
>>> .../images/core-image-selinux-minimal.bb | 2 +-
>>> recipes-security/images/core-image-selinux.bb | 2 +-
>>> .../policycoreutils-fts_flags-FTS_NOCHDIR.patch | 25 ++
>>> recipes-security/selinux/policycoreutils_2.3.bb | 1 +
>>> 12 files changed, 984 insertions(+), 2 deletions(-)
>>> create mode 100644 classes/selinux-image.bbclass
>>> create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch
>>> create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-add-xattr-module-stub.patch
>>> create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-block-node.patch
>>> create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-block.patch
>>> create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-cache.patch
>>> create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/mke2fs.c-create_inode.c-copy-xattrs.patch
>>> create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bbappend
>>> create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-fts_flags-FTS_NOCHDIR.patch
>>>
>
More information about the yocto
mailing list