<div dir="ltr"><div dir="ltr">So far there is an issue with D-Bus:<div><br></div><div><a href="https://github.com/freedesktop/dbus/blob/master/bus/apparmor.c#L126">https://github.com/freedesktop/dbus/blob/master/bus/apparmor.c#L126</a><br></div><div><br></div><div><font face="monospace" size="1">John Johansen has confirmed that the mainline kernel will not have<br>the apparmorfs/features/dbus/mask file until the mainline kernel<br>has AppArmor getpeersec support.</font><br></div><div><br></div><div>If I'm not mistaken, we do not run dbus daemons, only dbus-broker that is clearly lack of AppArmor support:</div><div><div><br></div><div><a href="https://github.com/bus1/dbus-broker/issues/169">https://github.com/bus1/dbus-broker/issues/169</a><br></div><div></div></div><div><br></div><div><a href="https://github.com/bus1/dbus-broker/blob/master/src/launch/launcher.c#L1327">https://github.com/bus1/dbus-broker/blob/master/src/launch/launcher.c#L1327</a><br></div><div><br></div></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 21 Apr 2020 at 11:57, Anton Kachalov <<a href="mailto:rnouse@google.com">rnouse@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Looks like an increase of image size for 18MB came from the dependencies such as Python e.g. audit2allow that we can get rid of from the prod image.</div><div><br></div><div>I've tried to build AppArmor for OpenBMC. By default, it's being built with Python and Perl as well, which also adds an extra 14MB of image size or 68MB -> 126MB unpacked rootfs increase.</div><div><br></div><div>Once such dependencies were dropped, I got a working AppArmor-enabled system with only a 2MB increase.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 6 Apr 2020 at 15:20, Anton Kachalov <<a href="mailto:rnouse@google.com" target="_blank">rnouse@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks you for clarifying, Ratan.<div><br></div><div>Meanwhile I would try to check what will give us AppArmor in terms of firmware's size growth.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 6 Apr 2020 at 13:24, Ratan Gupta <<a href="mailto:ratagupt@linux.vnet.ibm.com" target="_blank">ratagupt@linux.vnet.ibm.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi Anton,</p>
<p>I brought the meta-selinux layer, that enables the selinux
framework on obmc-phosphor-image and it increases the size of the
image by 18MB.</p>
<p>This layer enables the linux kernel support for selinux framework
and brings in a lot of tools and scripts.<br>
Just to name a few,layer comes with binaries like</p>
<p>- getenforce<br>
- setenforce<br>
- semange<br>
- sestatus<br>
- audit2why<br>
- audit2allow<br>
- restorecon<br>
- chcon</p>
<p>It also brings in various scripts that would help to label the
entire system during the first boot.</p>
<p>While lot of these binaries may be only required by the developer
during the inital phase if selinux enablement and not to the end
customer.</p>
<p>I need to spend a little more time to see what can we remove form
the layer. <br>
</p>
<p>My suggestion is we can defer this size work for later and start
working on how selinux can help in openBMC security.</p>
<p>We would be publishing the se-linux use cases in a week. <br>
</p>
<p>Manoj is working with me on bringing down the size of se-linux
layer.<br>
</p>
<p>Regards</p>
<p>Ratan<br>
</p>
<div>On 4/5/20 6:58 PM, Anton Kachalov
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello, Ratan.
<div><br>
</div>
<div>Would you mind breaking down the estimation, curious about
what brought up 18MB when enabling SELinux.</div>
<div>Precompiled rules in Android took 3MB on average.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, 1 Apr 2020 at 16:22,
Ratan Gupta <<a href="mailto:ratagupt@linux.vnet.ibm.com" target="_blank">ratagupt@linux.vnet.ibm.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi
Joseph,<br>
<br>
We did some POC around selinux, will share the detailed
use-cases with <br>
selinux which can be useful in openbmc stack.<br>
<br>
selinux is taking around 18MB space on flash, Is it a concern?<br>
<br>
Regards<br>
<br>
Ratan<br>
<br>
On 3/31/20 9:51 PM, Joseph Reynolds wrote:<br>
> This is a reminder of the OpenBMC Security Working Group
meeting <br>
> scheduled for this Wednesday April 1 at 10:00am PDT.<br>
><br>
> We'll discuss current development items, and anything
else that comes up.<br>
><br>
> The current topics:<br>
><br>
> 1. SELinux or AppArmor plans<br>
><br>
> Access, agenda, and notes are in the wiki:<br>
><br>
> <a href="https://github.com/openbmc/openbmc/wiki/Security-working-group" rel="noreferrer" target="_blank">https://github.com/openbmc/openbmc/wiki/Security-working-group</a><br>
><br>
> - Joseph<br>
><br>
<br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote></div>
</blockquote></div></div>
</blockquote></div></div>