| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Sep 2015 12:07:43 +1000
From: Matthew Cengia <mattcen@...er.com.au>
To: linux-kernel@...r.kernel.org
Cc: Matthew Cengia <mattcen@...il.com>,
"Trent W. Buck" <twb@...er.com.au>
Subject: overlayfs+selinux error: OPNOTSUPP
Hi all,
Please CC me directly when responding, as I'm not subscribed to the
mailing list.
Summary
-------
I deploy diskless Debian kiosks in prisons, for use by inmates.
As part of the Debian 7 to 8 upgrade, I want to enable SELinux.
My initrd uses overlayfs to combine a ro squashfs and a rw tmpfs.
When I add SELinux into the mix, I get a lot of EOPNOTSUPP.
Long and boring history
-----------------------
I was happy with Debian 7 / Linux 3.16 / sysvinit / aufs.
Then, new hardware arrived, which needed a newer Xorg.
So I had to switch to Debian 8 / Linux 3.16.
Debian 8 defaults to systemd, so I went with that.
I used to put $XDG_RUNTIME_DIR under a /tmp mounted -onoexec.
Systemd v215 is hard-coded to mount $XDG_RUNTIME_DIR as a dedicated tmpfs,
and provides no way to mount/remount it with -onoexec.
src/login/logind-user.c:336:user_mkdir_runtime_path()
When I complained about this, regulars on #systemd on Freenode said:
Just use SELinux, already!
-o noexec might break something, and it won't stop interpreters.
...which was mostly reasonable.
So adopting SELinux was reprioritized from "some day" to "right now!"
aufs doesn't support SELinux, so I had to switch to overlayfs.
So now my target is Debian 8 / Linux 4.1 / systemd / overlayfs / SELinux.
Current problem
---------------
When I built & booted that combination, hostnames didn't resolve.
The initrd uses klibc ipconfig as a DHCP client,
then tries to create /etc/resolv.conf in the rootfs.
(This happens before switch_root.)
When SELinux is enabled, resolv.conf can't be opened for writing.
The attached strace (output.txt) shows open(2) gets EOPNOTSUPP.
Tests completed
---------------
This problem *ONLY* occurs in the initrd,
which is *BEFORE* the SELinux policy loads.
I'm not sure if this is relevant.
This problem *DOES NOT* occur if the file/directory being written to
already exists in the read/write portion of the overlay mount before the
overlayfs is mounted. I've attached a script to demonstrate this.
Booting the kernel with permissive=1 *DOES NOT* prevent the problem.
Test script
-----------
Attached is a script called 'bootstrap'.
When run on a Debian Jessie system with debootstrap, squashfs-tools, and kvm installed,
and selinux installed and enabled (even if it's in permissive mode),
'bootstrap' will:
* Mount a tmpfs without -o nodev at /tmp/bootstrap/live, to build in;
* Build an SOE in /tmp/bootstrap/live/;
* Create a squashfs of the built system;
* Leave the squashfs, kernel, and initrd in /tmp/bootstrap/live/boot/; and
* Start up a VM using KVM to demonstrate the behaviour.
The script that the initrd runs does several things, all of which are
detailed within the script, and in output.txt; look for lines
containing '-->'.
output.txt contains a full KVM run of the system exhibiting the problem,
in which I've also run an 'strace touch' to demonstrate the failing
syscall.
Help?
-----
How can I set about debugging this problem further?
Has anybody dealt with this before?
How can I solve (or workaround) this problem?
--
Regards,
Matthew Cengia
View attachment "bootstrap" of type "text/plain" (4599 bytes)
View attachment "output.txt" of type "text/plain" (4639 bytes)
Download attachment "signature.asc" of type "application/pgp-signature" (967 bytes)
Powered by blists - more mailing lists