[Toybox] Using toybox for poking around weird namespaces?

Sat Oct 25 22:31:53 PDT 2014

On Oct 25, 2014 9:20 PM, "Rob Landley" <rob at landley.net> wrote:
>
> On 10/25/14 10:28, stephen Turner wrote:
> > Isnt part of the idea behind kiss is security? And if you were to
> > include selinux wouldnt you want to reduce that code as well?
>
> Yes, but "all or none" is the easiest granularity.
>
> If we have a thing in toybox to set selinux entries (which this
> apparently does), then we should at least have code in cp/mv to preserve
> them, and code in "ls" to display them. (I'm reluctant to have _partial_
> support for something, which is by itself useless.)
>

Setpriv just asks for context transitions on exec.  It doesn't deal with
file labels at all.

> I honestly don't know what the rest of the minimum support criteria
> _are_. I suppose I could grep busybox to see which command names it
> shows up in there. My own experience with it was either figuring out how
> to phrase "noselinux" for the system at hand, or leaving it as somebody
> else's problem for sysadmin du jour who wanted it.
>
> The thing is: often you have to know a problem domain really well in
> order to say what the minimal set of required functionality actually
> _is_. I do not know selinux that well. I have a decent understanding of
> classic unix security and I think that _is_ the minimal subset. (Modulo
> groups being sort of a legacy feature, especially once containers go in.)

You need whatever command changes file labels plus something to load
policy.  I have no idea how the latter works.  The standard tools are
*huge*.

>
> I want to add container support on top of classic unix security, but
> unfortunately the people implementing it have a hammer (capabilities!
> selinux! extended attributes! systemd!) and thus will _find_ excuses to
> use this crap despite its seeming uselessness...

Huh?  The *kernel* people seem to dislike these hammers for the most part.

>
> Possibly containers _don't_ actually need this mess. I really hope not.
> But I don't feel I understand the concept well enough to go all:
>
> http://www.girlgeniusonline.com/comic.php?date=20030625
>
> on it yet. (It sounds like Andy may already have done so, but I need to
> learn more to evaluate it.)

You can do credible containers with no LSM and with almost no special
capability stuff at all.  Either you have one uid and no capabilities at
all after exec, or you have extra uids and one is the in-container
root-like user.

For the latter, toybox should consider implementing newuidmap(1).  It's a
pretty straightforward tool.

--Andy

>
> But I've kinda been hip-deep in sed this past week...
>
> Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20141025/dd772756/attachment-0004.htm>