* Security Working Group meeting - Wednesday April 13
@ 2022-04-12 16:28 Joseph Reynolds
2022-04-12 16:35 ` Fwd: Security Working Group meeting - Wednesday April 13 - SELinux Joseph Reynolds
2022-04-13 21:29 ` Security Working Group meeting - Wednesday April 13 - results Joseph Reynolds
0 siblings, 2 replies; 4+ messages in thread
From: Joseph Reynolds @ 2022-04-12 16:28 UTC (permalink / raw)
To: openbmc
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday April 13 at 10:00am PDT.
We'll discuss the following items on the agenda
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
and anything else that comes up:
1. Renewed interest in securing D-Bus interfaces and using SELinux.
Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
<https://github.com/openbmc/openbmc/wiki/Security-working-group>
- Joseph
^ permalink raw reply [flat|nested] 4+ messages in thread
* Fwd: Security Working Group meeting - Wednesday April 13 - SELinux
2022-04-12 16:28 Security Working Group meeting - Wednesday April 13 Joseph Reynolds
@ 2022-04-12 16:35 ` Joseph Reynolds
2022-04-13 21:29 ` Security Working Group meeting - Wednesday April 13 - results Joseph Reynolds
1 sibling, 0 replies; 4+ messages in thread
From: Joseph Reynolds @ 2022-04-12 16:35 UTC (permalink / raw)
To: openbmc, Anton Kachalov
Anton,
Folks from IBM research are planning to attend the OpenBMC Security
Working Group meeting to learn more about how to apply SELinux to
OpenBMC. I understand this is an alternate solution to the work you had
started here:
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/42748
<https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/42748> and
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49100
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49100>.
Joseph
-------- Forwarded Message --------
Subject: Security Working Group meeting - Wednesday April 13
Date: Tue, 12 Apr 2022 11:28:24 -0500
From: Joseph Reynolds <jrey@linux.ibm.com>
To: openbmc <openbmc@lists.ozlabs.org>
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday April 13 at 10:00am PDT.
We'll discuss the following items on the agenda
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
and anything else that comes up:
1. Renewed interest in securing D-Bus interfaces and using SELinux.
Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
<https://github.com/openbmc/openbmc/wiki/Security-working-group>
- Joseph
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Security Working Group meeting - Wednesday April 13 - results
2022-04-12 16:28 Security Working Group meeting - Wednesday April 13 Joseph Reynolds
2022-04-12 16:35 ` Fwd: Security Working Group meeting - Wednesday April 13 - SELinux Joseph Reynolds
@ 2022-04-13 21:29 ` Joseph Reynolds
2022-04-18 15:02 ` Ratan Gupta
1 sibling, 1 reply; 4+ messages in thread
From: Joseph Reynolds @ 2022-04-13 21:29 UTC (permalink / raw)
To: openbmc
On 4/12/22 11:28 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday April 13 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
>
Attended: Joseph Reynolds, Ruud Haring, Chris Engel, Dick (Phoenix),
Dong Chen, Jesse Arroyo, Yakatawa Sugawara, Russel Wilson, Krishnan
Sugvanam, Manojkiran Eda, McCawley, Robert Senger, Sandhya Keteshwara,
Surya (Intel), James Mihm, Terry Duncan, (and unknown caller who joined
as the meeting was ending).
> 1. Renewed interest in securing D-Bus interfaces and using SELinux.
Ruud Haring and Yataka Sugawara and Russel Wilson from IBM Research
presented a proposal.
A recording was made of the presentation and discussion. TODO: Post the
recording.
DISCUSSION:
The proposal PDF will be shared with the OpenBMC community. Here is my
summary of the main points: SELinux is preferred by IBM and some large
customers to solve several related access control problems: limiting
access of root processes, application trust, systemd, and D-Bus. See
previous discussion 2020-05-13 below: SELinux email use cases and email
https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html
<https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html>
Next steps: Follow
https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes
<https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes>with
email discussion, Discord (per
https://github.com/openbmc/openbmc#contact
<https://github.com/openbmc/openbmc#contact>) and creating a design for
phase 1 (below).
TODO: Joseph to send email to begin the discussion about SELinux use
cases which might be shared by multiple OpenBMC users.
IBM plans to work in the OpenBMC community project: stage 1 is an opt-in
SELinux in permissive mode to collect data about which policies are
needed. Later stages are to create SELinux policies for access control,
and then to change configure SELinux to enforce them.
Does OpenBMC have existing SELinux policies? None are known, but see
the Yocto/OE meta-selinux layer and associated docs.
We discussed some difficulties in using SELinux: Configuring the
meta-selinux layer, configuring the Linux Kernel, and additional space
requirements (about 20MB)
We discussed SELinux vs AppArmor. IBM has chosen SELinux because it is
well known to IBM and customers, and has an active community. Note the
planned SELinux support is opt-in, so another contributor can add
AppArmor as needed.
The intended reference platform is an x86 system running with the
AST2600 and 256Mb (or more) flash storage..
We discussed SELinux & D-Bus tie-ins. (OpenBMC D-Bus runs in system
mode.) Note that D-Bus has built-in support for SELinux.
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Security Working Group meeting - Wednesday April 13 - results
2022-04-13 21:29 ` Security Working Group meeting - Wednesday April 13 - results Joseph Reynolds
@ 2022-04-18 15:02 ` Ratan Gupta
0 siblings, 0 replies; 4+ messages in thread
From: Ratan Gupta @ 2022-04-18 15:02 UTC (permalink / raw)
To: Joseph Reynolds; +Cc: openbmc
[-- Attachment #1: Type: text/plain, Size: 3568 bytes --]
Hi Team,
Apparmor doesn't work with openbmc stack, I tried it around 6 months back,
opened up the issue and finally it was told by the apparmor that it is not
trivial one.
https://gitlab.com/apparmor/apparmor/-/issues/183
Ratan
On Thu, Apr 14, 2022 at 3:00 AM Joseph Reynolds <jrey@linux.ibm.com> wrote:
> On 4/12/22 11:28 AM, Joseph Reynolds wrote:
> > This is a reminder of the OpenBMC Security Working Group meeting
> > scheduled for this Wednesday April 13 at 10:00am PDT.
> >
> > We'll discuss the following items on the agenda
> > <
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
>
> > and anything else that comes up:
> >
>
> Attended: Joseph Reynolds, Ruud Haring, Chris Engel, Dick (Phoenix),
> Dong Chen, Jesse Arroyo, Yakatawa Sugawara, Russel Wilson, Krishnan
> Sugvanam, Manojkiran Eda, McCawley, Robert Senger, Sandhya Keteshwara,
> Surya (Intel), James Mihm, Terry Duncan, (and unknown caller who joined
> as the meeting was ending).
>
>
> > 1. Renewed interest in securing D-Bus interfaces and using SELinux.
>
> Ruud Haring and Yataka Sugawara and Russel Wilson from IBM Research
> presented a proposal.
>
>
> A recording was made of the presentation and discussion. TODO: Post the
> recording.
>
>
> DISCUSSION:
>
> The proposal PDF will be shared with the OpenBMC community. Here is my
> summary of the main points: SELinux is preferred by IBM and some large
> customers to solve several related access control problems: limiting
> access of root processes, application trust, systemd, and D-Bus. See
> previous discussion 2020-05-13 below: SELinux email use cases and email
> https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html
> <https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html>
>
>
> Next steps: Follow
>
> https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes
> <
> https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes>with
>
> email discussion, Discord (per
> https://github.com/openbmc/openbmc#contact
> <https://github.com/openbmc/openbmc#contact>) and creating a design for
> phase 1 (below).
>
>
> TODO: Joseph to send email to begin the discussion about SELinux use
> cases which might be shared by multiple OpenBMC users.
>
>
> IBM plans to work in the OpenBMC community project: stage 1 is an opt-in
> SELinux in permissive mode to collect data about which policies are
> needed. Later stages are to create SELinux policies for access control,
> and then to change configure SELinux to enforce them.
>
>
> Does OpenBMC have existing SELinux policies? None are known, but see
> the Yocto/OE meta-selinux layer and associated docs.
>
>
> We discussed some difficulties in using SELinux: Configuring the
> meta-selinux layer, configuring the Linux Kernel, and additional space
> requirements (about 20MB)
>
>
> We discussed SELinux vs AppArmor. IBM has chosen SELinux because it is
> well known to IBM and customers, and has an active community. Note the
> planned SELinux support is opt-in, so another contributor can add
> AppArmor as needed.
>
>
> The intended reference platform is an x86 system running with the
> AST2600 and 256Mb (or more) flash storage..
>
>
> We discussed SELinux & D-Bus tie-ins. (OpenBMC D-Bus runs in system
> mode.) Note that D-Bus has built-in support for SELinux.
>
>
>
> > Access, agenda and notes are in the wiki:
> > https://github.com/openbmc/openbmc/wiki/Security-working-group
> > <https://github.com/openbmc/openbmc/wiki/Security-working-group>
> >
> > - Joseph
> >
>
>
[-- Attachment #2: Type: text/html, Size: 5392 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-04-18 15:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-12 16:28 Security Working Group meeting - Wednesday April 13 Joseph Reynolds
2022-04-12 16:35 ` Fwd: Security Working Group meeting - Wednesday April 13 - SELinux Joseph Reynolds
2022-04-13 21:29 ` Security Working Group meeting - Wednesday April 13 - results Joseph Reynolds
2022-04-18 15:02 ` Ratan Gupta
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.