OpenWrt and SELinux
SELinux is a security mechanism with a lot of ability to restrict user-space compromises in various useful ways. It has also generally been considered a heavyweight option that is not suitable for more resource-restricted systems like wireless routers. Undeterred by this perception, some OpenWrt developers are adding SELinux as an option for protecting the distribution, which targets embedded devices.
A mid-September blog post from Paul Spooren gives some of the background and status. In July, W. Michael Petullo picked up some older patches from Thomas Petazzoni. Petullo updated some of that work, including switching the tools from Python 2 to Python 3; he submitted the result as a pull request (PR) for OpenWrt. On August 30, that PR was merged; a related PR from Petazzoni adding some packages to support SELinux on the distribution was merged September 12.
The SELinux feature adds a mandatory access control (MAC) mechanism to the Linux kernel. Discretionary access control (DAC) is typified by the Unix read-write-execute permissions for files based on user and group IDs. While users can make changes to DAC permissions (e.g. chmod 777 ~), MAC policies generally cannot be overridden at run time.
The MAC policies used by SELinux allow administrators to specify which applications can have access to various objects in the system, primarily files and network resources. Instead of user-based permissions, these objects get assigned security contexts describing their scope. The policies then map which objects can access other objects that have specific contexts, thus they could allow a web server to only be able to access files under a certain directory, to only be able to bind to specific network port numbers, and to be unable to initiate outbound connections. In order to change those restrictions, the root user would need to install different policy at boot time or relabel objects to have contexts that allow them to be accessed. Absent a kernel compromise, services and other processes restricted in this way should not be able to reach outside of the places where their access is confined to.
Security labels are the way that SELinux determines the context of a file object; that information is stored as an extended attribute on the files themselves. Because they live in the protected security extended attribute namespace, they cannot be changed by regular users. So the refpolicy package will label the files with their context as the image is being built.
Switching a distribution to use SELinux involves more than just enabling a kernel feature, however. As the blog post describes, the build system needed to be configured so that kernels supporting SELinux can be created. Turning on options to enable SELinux (CONFIG_KERNEL_SECURITY_SELINUX) and to allow security labels in the root filesystem (CONFIG_TARGET_ROOTFS_SECURITY_LABELS) will automatically select the refpolicy package, which will put the security labels on the files in the squashfs (or F2FS) root filesystem.
In order for SELinux to apply its policies, processes started on the system need to have a security context associated with them. That is the responsibility of the init process, but, currently, the init used for OpenWrt, procd, does not set contexts on the processes that it starts. Work on that is planned. Administrators also need to be able to examine the context associated with files, processes, and other objects, which is done using the -Z switch to utilities like ls and ps. Like most embedded distributions, OpenWrt uses BusyBox; a custom busybox-selinux package was created that configures BusyBox to add the needed support.
The initial policy being used is the reference policy
from the upstream SELinux project; "it has not been tuned
specifically for OpenWrt
", Petazzoni said. There are plans
to tweak that policy based on the specific needs of OpenWrt.
There is still more to be done, of course, but much of the underlying
infrastructure has been merged into OpenWrt at this point. As the blog post shows, it is
possible to launch a virtual machine with an SELinux-enabled OpenWrt image
and see contexts, labels, and so on. Adding support to procd for
setting contexts will provide for much of the remaining needed pieces for
basic support in OpenWrt.
In general, SELinux has not been that much of a factor in the embedded Linux world. An obvious counterexample, though, is SELinux on Android, which started small in the Android 4.x series but has since grown to be an integral part of the security landscape for the phone distribution. But embedded SELinux has been investigated for longer still, though the resource requirements have generally kept it to higher-end devices. OpenWrt supports a wide range of devices, so SELinux might just find a home in some of them.
The security landscape for home routers is generally pretty bleak; adding
SELinux protections for OpenWrt can only help with that picture. Also,
SELinux is perhaps a better fit for a router distribution than it is for,
say, Fedora systems, where the software being run is changing more
frequently and needs more tweaks to the SELinux policy in order to continue
to function. As elsewhere, of course, SELinux is no panacea, but it could
certainly improve the security for home routers and the like.
| Index entries for this article | |
|---|---|
| Security | Distribution security |
| Security | Security Enhanced Linux (SELinux) |
Posted Oct 1, 2020 7:55 UTC (Thu)
by beagnach (guest, #32987)
[Link]
Posted Oct 1, 2020 12:09 UTC (Thu)
by vadim (subscriber, #35271)
[Link] (11 responses)
The WRT54G was in 2002, and had 8 to 16MB RAM and 4MB flash. Since then hardware got a lot better, and so have the expectations of what low end hardware is expected to achieve.
SELinux might have been a bit much for the WRT54G, but I don't think it's that big of a deal for anything modern, and security became a lot more important.
SELinux also got a lot better over time. I run with it enabled on all my Fedora machines, and it's quite trouble-free these days. I've not even had to tweak anything in a long time.
Posted Oct 1, 2020 17:58 UTC (Thu)
by zoobab (guest, #9945)
[Link] (9 responses)
Time for to fork OpenWRT?
Posted Oct 1, 2020 23:55 UTC (Thu)
by xxiao (guest, #9631)
[Link]
Posted Oct 2, 2020 0:01 UTC (Fri)
by luya (subscriber, #50741)
[Link]
SELinux comes in handy to prevent potential exploits especially on embedded devices. As pointed out on this article, SELinux being part of the Linux kernel is widely deployed on Android. Thank both Fedora, Red Hat, Gentoo, Linux Foundation and such for make SELinux usable and improving the security side of the Linux kernel. Forking OperWRT just because of SELinux would turn out a complete waste of time instead of tackling the security issue
Posted Oct 2, 2020 9:06 UTC (Fri)
by mvdwege (guest, #113583)
[Link] (5 responses)
Note that in the right hands, a distribution-tuned SELinux policy should require very little intervention. On my RHEL and Fedora systems I have had to do a manual intervention on the reference policy exactly *once* in the past 12 months (although that one was a doozy, as the AVC message was filtered out by dontaudit at first).
Posted Oct 3, 2020 6:29 UTC (Sat)
by marcH (subscriber, #57642)
[Link] (4 responses)
... which is supposed to be "good" because otherwise you'd have no clue what's wrong and how to fix it.
SELinux' design issue is very simple: it's too fine grained hence too complicated, which means you have to blindly trust the very few people/SPOF in charge of configuring it. The main issue is not technical, it's about usability. That is SELinux' weakest link.
There is a much, much simpler, "defence in depth" security configuration that OpenWRT could implement first: not run almost everything as root!? Unlike SELinux every user is familiar with multiuser and rarely ever "rage quits" it as soon as something goes wrong. Hey, users understand that enough to even submit bug reports or fixes.
Posted Oct 4, 2020 10:29 UTC (Sun)
by mvdwege (guest, #113583)
[Link] (3 responses)
The problem on OpenWRT is that the distribution is doing a lot of stuff that under the classic Unix model requires root. Configuring network hardware, running services on privileged ports (e.g. DHCP and DNS). SELinux is an ideal solution to sandbox those processes. And it is in this situation, using a targeted policy, that SELinux is especially easy to define. Basically it's a permissive scenario: everything runs unconfined except certain processes, and there is a blanket rule forbidding context switches to unconfined contexts. I would also say that SELinux is not complex at all, it's just a lot of work to configure. Its basic model is simple enough, it's a 3d matrix of booleans with source context on the x axis, target context on the y axis and syscalls on the z axis, with the default value being 'deny'. Given a decent description language with some macros, and building a policy is easy, if just a bit tedious. On the gripping hand, running it in permissive mode and then smartly feeding the AVC output to audit2allow gives you a quick base to build on. As such, leaving the tedious work to the distro maintainers is as much a problem as leaving the tedious work of configuring build environments, source structures and compiling software to them.
Posted Oct 5, 2020 2:35 UTC (Mon)
by marcH (subscriber, #57642)
[Link] (2 responses)
For every situation there is saying that is patronizing and simplistic = partly wrong.
> The problem on OpenWRT is that the distribution is doing a lot of stuff that under the classic Unix model requires root. [...]
Very funny: dnsmasq does not run as root on OpenWRT. On my router everything else runs as root, including:
- ubusd / rpcd
- logd
- ntpd
- uhttpd
- dropbear (ssh)
> I would also say that SELinux is not complex at all, it's just a lot of work to configure. [...] Given a decent description language with some macros, and building a policy is easy, if just a bit tedious.
Tedious implies error-prone and as far as security is concerned a single mistake can be enough to make the system insecure.
The "building a policy" indirection is a major usability issue. In other, simpler solutions, anyone can turn off some specific setting and immediately observe the effect. This can be useful either because that setting is overly restrictive (= wrong) or to test it is actually protecting something. The interactivity is also educative and makes security everyone's business. Achieving the same with SELinux requires either hours figuring out some "3d matrix" (!) and how to build it or just turning off SELinux entirely which is unsurprisingly an FAQ. I'm afraid "building the policy" will be especially worse in the case of OpenWRT because I suspect it won't be possible to rebuild the policy on the (embedded) system itself.
> As such, leaving the tedious work to the distro maintainers is as much a problem as leaving the tedious work of configuring build environments, source structures and compiling software to them.
The risk of creating a security issue while compiling software is not zero but obviously much lower than when configuring security itself.
> SELinux is an ideal solution to sandbox those processes.
Every single security measure tries to strike a very difficult balance between security, complexity and usability and in practice none is "ideal". I admit it will be much easier to configure SELinux on a very specialized system like OpenWRT compared to some general purpose OS and it is very likely to make the system more secure however that's a lot of responsibility for the people in charge of its configuration. I sincerely hope it will be more than a couple people which would unfortunately not surprise me considering the nature of the project. I'm also surprised a much simpler, well known and not mutually exclusive approach has not been tried before, weird and again a bit worrying.
OpenWRT aside, I'm also amazed at the granularity gap between non-root accounts and SELinux. Is there really no middle-ground? What about operating systems other than Linux?
Posted Oct 19, 2020 20:53 UTC (Mon)
by dangole (guest, #142299)
[Link] (1 responses)
https://git.openwrt.org/openwrt/staging/dangole.git
So ubusd, logd and ntpd can run as non-root without being to complicated about it.
Posted Oct 20, 2020 20:53 UTC (Tue)
by marcH (subscriber, #57642)
[Link]
Posted Oct 2, 2020 13:23 UTC (Fri)
by vadim (subscriber, #35271)
[Link]
Posted Oct 6, 2020 8:54 UTC (Tue)
by etbe (subscriber, #17516)
[Link]
A large part of the size of current Linux distributions is due to most developers running systems with 8G of RAM or more and not feeling a need to save memory. If people wanted to make things smaller they could.
Posted Oct 6, 2020 8:51 UTC (Tue)
by etbe (subscriber, #17516)
[Link]
OpenWrt and SELinux
I take it there is not much of a CPU overhead.
OpenWrt and SELinux
OpenWrt and SELinux
OpenWrt and SELinux
OpenWrt and SELinux
OpenWrt and SELinux
OpenWrt and SELinux
OpenWrt and SELinux
There is a much, much simpler, "defence in depth" security configuration that OpenWRT could implement first: not run almost everything as root!?
For every problem there is a solution that is simple, obvious, and wrong.OpenWrt and SELinux
> running services on privileged ports (e.g. DHCP and DNS).
Ubuntu's dbus-daemon --system does not run as root
Ubuntu's rsyslogd does not run as root
Ubuntu's systemd-timesyncd does not run as root
Really? Does the entire web interface need to run as root?
Even on OpenWRT dropbear does support privilege separation (I just tested it) but OpenWRT doesn't provide any regular user account by default and the ssh page in the web interface doesn't support any non root user either.
OpenWrt and SELinux
uhttpd is kinda not my department... For dropbear I currently don't see a reasonable option which would allow it to run as non-root.
OpenWrt and SELinux
OpenWrt and SELinux
OpenWrt and SELinux
OpenWrt and SELinux
Back in 2003 I got SE Linux working on an iPaQ which had 64M of RAM and 48M of storage. Newer versions of SE Linux are larger but then Linux in general is a lot larger now than it was then.