codeblog code is freedom — patching my itch

3/16/2008

SELinux in Hardy

Filed under: Security,Ubuntu — kees @ 1:32 pm

Hardy has seen a major overhaul in the SELinux department. Prior to the Hardy UDS, the folks at Tresys had contacted me, asking “why doesn’t SELinux work with Ubuntu?” and I basically said, “because no one has given it any attention, yet — feel free to help out.” And so they did! :)

As a result, if AppArmor isn’t the MAC system you want, you can now install a functional SELinux system on Ubuntu with just a simple “sudo apt-get install selinux”.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

3/9/2008

using select on a fifo

Filed under: Ubuntu — kees @ 5:00 pm

The right way to handle on-going input from file descriptors is to use select(). All readable events are flagged (one such event is “end of file”, which is indicated by a 0-sized read()). For example, if we’re reading from file descriptor fd:

  fd_set rfds;
  int rc;

  FD_ZERO(&rfds);
  FD_SET(fd, &rfds);

  tv.tv_sec = 1;
  tv.tv_usec = 0;

  rc = select(fd + 1, &rfds, NULL, NULL, &tv);
  if (rc > 0) {
    char buf[80];
    ssize_t got = read(fd, buf, sizeof(buf));
    if (got < 0) {
      perror("read");
      return 1;
    }
    else if (got == 0) {
      printf("EOF\\n");
      return 1;
    }
    else {
      printf("read bytes: %d\\n", got);
    }
  }

When dealing with sockets, the above loop is sane — EOF means the other end hung up and you’ll never get more data from the file descriptor. In the case of a FIFO, however, “0 length read” means there are no more FIFO writers — but more could attach later and continue feeding in data! The problem with this is that select misbehaves and marks the file descriptor as “EOF” forever. Only the initial select() call blocks until there is something to read — once it hits EOF, select will always immediately return, defeating the purpose of select().

One solution is to re-open the FIFO, but you might miss writers between your 0-length read() and the next open().

The seemingly correct solution is rather simple: the FIFO reader should open the FIFO as a writer also. In this case, select() never thinks all the writers have vanished, so there is never an EOF condition, and the reader never misses any writers. So, instead of O_RDONLY, use:

fd = open(FIFO_PATHNAME, O_RDWR | O_NONBLOCK);

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

3/8/2008

instaELF via GNU as

Filed under: Ubuntu — kees @ 2:47 pm

Today I needed to generate a fake ELF file with specific section contents (I was testing “modinfo”, which expects to read the “.modinfo” ELF section). For future reference, here’s how to create an empty .ko file that claims to have a GPL license:

$ cat <<EOM | as - -o /tmp/fake.ko
> .section .modinfo
> .string "license=GPL"
> EOM
$ modinfo /tmp/fake.ko
filename:       /tmp/fake.ko
license:        GPL

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

3/5/2008

swapping encryption, hurting your head

Filed under: Security,Ubuntu — kees @ 11:18 am

Last week Soren helped me move my manually cryptsetup’d swap partition into the initramfs logic so that I could hibernate. Bottom line was:

  1. Create /etc/initramfs-tools/conf.d/cryptroot for your partition, based on the logic and defaults in /usr/share/initramfs-tools/scripts/local-top/cryptroot.
  2. Convert the existing encrypted swap to the new configuration.
  3. Update initrd, reboot, enjoy.

Assuming your swap partition (in encrypted form) is stored at /dev/laptopvg/swaprawlv, and you want your accessible swap partition as /dev/mapper/swap, here are the above steps in detail:

Doing step 1 is simple, we’re assuming the defaults from the cryptroot script above:

    echo source=/dev/laptopvg/swaprawlv target=swap > /etc/initramfs-tools/conf.d/cryptroot
    

Step 2 hurt my head. Make sure you’ve unmounted your swap before attempting this, or you can destroy the partition contents. The parameters come from the cryptroot script again:

    swapoff /dev/mapper/swap
    vol_id /dev/mapper/swap
    cryptsetup -c aes-cbc-essiv:sha256 -h sha256 -s 256 create swap2 /dev/laptopvg/swaprawlv
    dd if=/dev/mapper/swap of=/dev/mapper/swap2 bs=4k
    cryptsetup remove swap
    vol_id /dev/mapper/swap2
    

Step 3 is simple again:

    update-initramfs -u
    shutdown -r now
    

Ta-da!

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

Powered by WordPress