Security Working Group meeting - Wednesday April 13 - results
Ratan Gupta
ratankgupta31 at gmail.com
Tue Apr 19 01:02:16 AEST 2022
Hi Team,
Apparmor doesn't work with openbmc stack, I tried it around 6 months back,
opened up the issue and finally it was told by the apparmor that it is not
trivial one.
https://gitlab.com/apparmor/apparmor/-/issues/183
Ratan
On Thu, Apr 14, 2022 at 3:00 AM Joseph Reynolds <jrey at linux.ibm.com> wrote:
> On 4/12/22 11:28 AM, Joseph Reynolds wrote:
> > This is a reminder of the OpenBMC Security Working Group meeting
> > scheduled for this Wednesday April 13 at 10:00am PDT.
> >
> > We'll discuss the following items on the agenda
> > <
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
>
> > and anything else that comes up:
> >
>
> Attended: Joseph Reynolds, Ruud Haring, Chris Engel, Dick (Phoenix),
> Dong Chen, Jesse Arroyo, Yakatawa Sugawara, Russel Wilson, Krishnan
> Sugvanam, Manojkiran Eda, McCawley, Robert Senger, Sandhya Keteshwara,
> Surya (Intel), James Mihm, Terry Duncan, (and unknown caller who joined
> as the meeting was ending).
>
>
> > 1. Renewed interest in securing D-Bus interfaces and using SELinux.
>
> Ruud Haring and Yataka Sugawara and Russel Wilson from IBM Research
> presented a proposal.
>
>
> A recording was made of the presentation and discussion. TODO: Post the
> recording.
>
>
> DISCUSSION:
>
> The proposal PDF will be shared with the OpenBMC community. Here is my
> summary of the main points: SELinux is preferred by IBM and some large
> customers to solve several related access control problems: limiting
> access of root processes, application trust, systemd, and D-Bus. See
> previous discussion 2020-05-13 below: SELinux email use cases and email
> https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html
> <https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html>
>
>
> Next steps: Follow
>
> https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes
> <
> https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes>with
>
> email discussion, Discord (per
> https://github.com/openbmc/openbmc#contact
> <https://github.com/openbmc/openbmc#contact>) and creating a design for
> phase 1 (below).
>
>
> TODO: Joseph to send email to begin the discussion about SELinux use
> cases which might be shared by multiple OpenBMC users.
>
>
> IBM plans to work in the OpenBMC community project: stage 1 is an opt-in
> SELinux in permissive mode to collect data about which policies are
> needed. Later stages are to create SELinux policies for access control,
> and then to change configure SELinux to enforce them.
>
>
> Does OpenBMC have existing SELinux policies? None are known, but see
> the Yocto/OE meta-selinux layer and associated docs.
>
>
> We discussed some difficulties in using SELinux: Configuring the
> meta-selinux layer, configuring the Linux Kernel, and additional space
> requirements (about 20MB)
>
>
> We discussed SELinux vs AppArmor. IBM has chosen SELinux because it is
> well known to IBM and customers, and has an active community. Note the
> planned SELinux support is opt-in, so another contributor can add
> AppArmor as needed.
>
>
> The intended reference platform is an x86 system running with the
> AST2600 and 256Mb (or more) flash storage..
>
>
> We discussed SELinux & D-Bus tie-ins. (OpenBMC D-Bus runs in system
> mode.) Note that D-Bus has built-in support for SELinux.
>
>
>
> > Access, agenda and notes are in the wiki:
> > https://github.com/openbmc/openbmc/wiki/Security-working-group
> > <https://github.com/openbmc/openbmc/wiki/Security-working-group>
> >
> > - Joseph
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20220418/d7342bd8/attachment-0001.htm>
More information about the openbmc
mailing list