Security Working Group meeting - Wednesday April 27 - results
Joseph Reynolds
jrey at linux.ibm.com
Thu Apr 28 04:07:49 AEST 2022
On 4/27/22 7:31 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday April 27 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
>
Attendees: Joseph Reynolds, Ruud Haring, Dhananjay, Jiang Ziang, Daniil,
Nirav Shah, Mark McCawley, Terry Duncan.
1 Followup to SELinux discussion from last time.
TODO Joseph: post the session recording and the presentation.
Note design in gerrit review
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/53205
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/53205>
We clarified the goal of the design is to make it easy for a system
integrator to add SELinux to their BMC firmware image, and to set some
basic SELinux policies which do not create “too many” denial event log
entries when SELinux is switched to permissive mode. The usefulness of
this design is to collect data for policies needed to switch SELinux to
enforcing mode. It remains an open question what policies are generally
useful to the OpenBMC community.
Dhananjay mentioned a SELinux policy analysis tool:
https://ossna2020.sched.com/event/ckpF/selint-an-selinux-policy-static-analysis-tool-daniel-burgener-microsoft
<https://ossna2020.sched.com/event/ckpF/selint-an-selinux-policy-static-analysis-tool-daniel-burgener-microsoft>
https://www.youtube.com/watch?v=Gx5bxwvzN_Y
<https://www.youtube.com/watch?v=Gx5bxwvzN_Y>
2 Is there a tie-in between Penetration testing and SELinux?
Note: Pen testing is performed by individual platforms, and the testing
effort is not shared: only vulnerabilities and fixes are shared. Help
wanted at the community level.
The idea is that the same kind of analysis is needed for both Pen
testing and to make SELinux policy. Can we share that analysis or
develop it in the OpenBMC community?
3 Nirav Shah - Alternate idea: Use D-Bus session buses (vs the system bus).
Note that all OpenBMC applications use the D-Bus system bus, which only
the root user is allowed to access.
Nirav presented an idea to change some applications to use a session bus
(and away from the system bus). Doing so allows BMC applications to run
as non-root and makes it easier for different applications to
communicate via D-bus APIs.
We believe this work is relatively independent of SELinux policy
configuration.
Joseph
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
More information about the openbmc
mailing list