Re: [OpenWrt-Devel] Enable security labels on ext4?
> what is the size increase in kmod-ext4 due to this? I think the overhead is small. Here are the kernel artifact sizes (KB) without security labels: 3176 ./build_dir/target-x86_64_musl/linux-x86_64/linux-4.14.79/arch/x86/boot/compressed/vmlinux 55624 ./build_dir/target-x86_64_musl/linux-x86_64/linux-4.14.79/vmlinux 11852 ./build_dir/target-x86_64_musl/linux-x86_64/vmlinux 3292./build_dir/target-x86_64_musl/linux-x86_64/root.grub/boot/vmlinuz Here they are with: 3176 ./build_dir/target-x86_64_musl/linux-x86_64/linux-4.14.79/arch/x86/boot/compressed/vmlinux 55632 ./build_dir/target-x86_64_musl/linux-x86_64/linux-4.14.79/vmlinux 11852 ./build_dir/target-x86_64_musl/linux-x86_64/vmlinux 3292./build_dir/target-x86_64_musl/linux-x86_64/root.grub/boot/vmlinuz What is less obvious is the runtime memory overhead. I suspect that the security labels themselves come at little cost, since they are so sparse. However, the extended-attribute infrastructure itself might cost something---it is not yet clear to me if this is present in every ext4 build or only those which include something like security labels or ACLs. I am also reading about "ambient capabilities" as proposed by Etienne. I wonder if we could wire these into the procd system. My near-term aim is to allow network services to run without root privileges. While many drop their privileges after using them to listen on a port < 1024 socket, I would rather they never run as root and instead rely on CAP_NET_BIND_SERVICE. Aside from less room for error in the service source code, it is nice to be able to specify users in the /etc/init.d files as opposed to per-service configuration mechanisms. This has become more pressing for me since I started using Go in more of my Linux work. Goroutines do not seem to play nicely with setuid [1], so on Go things like CAP_NET_BIND_SERVICE are preferred. I am building a few things in Go on OpenWrt. [1] https://github.com/golang/go/issues/1435 -- Mike :wq ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Enable security labels on ext4?
Hi Mike, (resend as text as html mail are blocked) Le sam. 10 nov. 2018 à 22:59, W. Michael Petullo a écrit : > > Capabilities are an important security mechanism on Linux because they > allow programs to run with fewer privileges. What you really want is ambient capabilities (Linux 4.3+), it allow you to keep just some capabilities as non root and without filesystem support, so this can be supported in all cases Etienne > I would like to propose that > we enable security labels by default on filesystems like ext4. This is > done by selecting the following kernel build option: > > File systems -> (The Extended 4 (ext4) filesystem) Ext4 Security > Labels > > I have already submitted a pull request which should allow > our build servers to provide the corresponding libcap utilities. See: > > https://github.com/openwrt/packages/pull/7368 > > -- > Mike > > :wq > > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Enable security labels on ext4?
Hi, what is the size increase in kmod-ext4 due to this? ~ Jo ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] Enable security labels on ext4?
Capabilities are an important security mechanism on Linux because they allow programs to run with fewer privileges. I would like to propose that we enable security labels by default on filesystems like ext4. This is done by selecting the following kernel build option: File systems -> (The Extended 4 (ext4) filesystem) Ext4 Security Labels I have already submitted a pull request which should allow our build servers to provide the corresponding libcap utilities. See: https://github.com/openwrt/packages/pull/7368 -- Mike :wq ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel