Re: Removing writable permissions in squashfs images vs overlayfs
On 10/23/22 23:35, Phillip Lougher wrote: On Thu, Oct 20, 2022 at 6:01 PM Peter Naulls wrote: What you probably want is the following % mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w)" It is, fantastic, thank you. I added to include/image.mk: --- a/include/image.mk +++ b/include/image.mk @@ -76,6 +76,7 @@ SQUASHFS_BLOCKSIZE := $(CONFIG_TARGET_SQUASHFS_BLOCK_SIZE)k SQUASHFSOPT := -b $(SQUASHFS_BLOCKSIZE) SQUASHFSOPT += -p '/dev d 755 0 0' -p '/dev/console c 600 0 0 5 1' SQUASHFSOPT += $(if $(CONFIG_SELINUX),-xattrs,-no-xattrs) +SQUASHFSOPT += -action 'chmod(ugo-w)@perm(/ugo+w)' SQUASHFSCOMP := gzip LZMA_XZ_OPTIONS := -Xpreset 9 -Xe -Xlc 0 -Xlp 2 -Xpb 2 ifeq ($(CONFIG_SQUASHFS_XZ),y) It sure seems like this could easily be an config option in OpenWrt, either allowing specific commands here, or some easy presets, or perhaps platform overrides. Again, I know this is theater and overlayfs rules here, but it's still important for my use. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Removing writable permissions in squashfs images vs overlayfs
On Thu, Oct 20, 2022 at 6:01 PM Peter Naulls wrote: > > > Yes, I know. Bear with me. Laugh if you must. > > # ls -l /rom/ > ... > drwxr-xr-x4 root root98 Oct 20 13:53 www > > I'd like to remove the writable bits from the squashfs image - /www is > particular concern because of security paranoia. > > Now I realize that: > > 1. This is contrary to the design and operation of overlayfs - it doesn't > matter what you set the permissions to, overlayfs will make a copy and > let you "write" anyway (correct me if I'm wrong here) and besides there's only > root. > > 2. This is 100% security theater, but the optics have become important here. > > I don't see that mksquashfs has any options for removing these attributes. > It is possible to set the permissions on files that end up in the rootfs > before the image generation, but then you tend to run into permissions > problems on the host build system when you do it again and it needs to clean > things out. On the contrary, this is fully supported by Mksquashfs using actions. Actions are modelled on the find command, and allow one or more tests to be performed on a file, and if the tests match, execute an action. What you probably want is the following % mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w)" "perm(/ugo+w)" is a test that matches on any file that has a writable permission (either user, group or other). "chmod(ugo-w)" is an action that removes the writable permission for user, group and other. So if any file has a writable permission it is removed before generating the Squashfs filesystem. Worked example phillip@phoenix:/tmp$ ls -la test total 12 drwxr-xr-x 3 phillip users 4096 Oct 24 03:37 . drwxrwxrwt 11 rootroot 4096 Oct 24 04:17 .. drwxrwxrwx 2 phillip users 4096 Oct 24 03:32 example_dir -rw-rw-rw- 1 phillip users0 Oct 24 03:32 example_file -r--r--r-- 1 phillip users0 Oct 24 03:37 not_writable phillip@phoenix:/tmp$ mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w)" phillip@phoenix:/tmp$ unsquashfs -lls test.sqsh dr-xr-xr-x phillip/users74 2022-10-24 03:37 squashfs-root dr-xr-xr-x phillip/users 3 2022-10-24 03:32 squashfs-root/example_dir -r--r--r-- phillip/users 0 2022-10-24 03:32 squashfs-root/example_file -r--r--r-- phillip/users 0 2022-10-24 03:37 squashfs-root/not_writable If you only want the writable permission removed from directories, you can test the file type in addition to the writable permissions, e.g. % mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w) && type(d)" -quiet -no-progress Worked example phillip@phoenix:/tmp$ ls -la test total 12 drwxr-xr-x 3 phillip users 4096 Oct 24 03:37 . drwxrwxrwt 11 rootroot 4096 Oct 24 04:22 .. drwxrwxrwx 2 phillip users 4096 Oct 24 03:32 example_dir -rw-rw-rw- 1 phillip users0 Oct 24 03:32 example_file -r--r--r-- 1 phillip users0 Oct 24 03:37 not_writable phillip@phoenix:/tmp$ mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w) && type(d)" -quiet -no-progress phillip@phoenix:/tmp$ unsquashfs -lls test.sqsh dr-xr-xr-x phillip/users74 2022-10-24 03:37 squashfs-root dr-xr-xr-x phillip/users 3 2022-10-24 03:32 squashfs-root/example_dir -rw-rw-rw- phillip/users 0 2022-10-24 03:32 squashfs-root/example_file -r--r--r-- phillip/users 0 2022-10-24 03:37 squashfs-root/not_writable More information on Mksquashfs actions is here https://github.com/plougher/squashfs-tools/blob/master/ACTIONS-README Please ask if you want more information. Phillip --- Squashfs author and maintainer. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Removing writable permissions in squashfs images vs overlayfs
Yes, I know. Bear with me. Laugh if you must. # ls -l /rom/ ... drwxr-xr-x4 root root98 Oct 20 13:53 www I'd like to remove the writable bits from the squashfs image - /www is particular concern because of security paranoia. Now I realize that: 1. This is contrary to the design and operation of overlayfs - it doesn't matter what you set the permissions to, overlayfs will make a copy and let you "write" anyway (correct me if I'm wrong here) and besides there's only root. 2. This is 100% security theater, but the optics have become important here. I don't see that mksquashfs has any options for removing these attributes. It is possible to set the permissions on files that end up in the rootfs before the image generation, but then you tend to run into permissions problems on the host build system when you do it again and it needs to clean things out. Open to suggestions. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel