From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8C044C433EF for ; Mon, 18 Apr 2022 15:03:18 +0000 (UTC) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4Khqts06Lsz2ym7 for ; Tue, 19 Apr 2022 01:03:17 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=Di1m9HZH; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=2a00:1450:4864:20::536; helo=mail-ed1-x536.google.com; envelope-from=ratankgupta31@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=Di1m9HZH; dkim-atps=neutral Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4Khqt63Gyqz2xD4 for ; Tue, 19 Apr 2022 01:02:36 +1000 (AEST) Received: by mail-ed1-x536.google.com with SMTP id v4so17736071edl.7 for ; Mon, 18 Apr 2022 08:02:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7sWbJrRXSp2TG3rlJSziNYBoGm6eiXxI3W3rYheAD0M=; b=Di1m9HZHFN8c2E5OKIRmvCaGq6ALWoNkYryxzlaMEdiHyGuil25nnRkAaUBZ3vcPua hTuKykAf6Sqy6PhJ3Z9uwGMYpKKgmW+G+/BuPOym3uCy+7D3SBO9PbltZvbc0Nanp3r9 hTyirMuuO7KtkUBfG5khX7bhLBluqU0N8hEyK7l+NQkt+t96eZe1iWWmVHJKh1vpiS9M FGDyKskgHMORumN7qLN3BZxLGVZ7YFQlWn+3L68vAwIWcrfKd/dWvFLUYV/4XKWIwh7H g8RrAgdE1N+ibBp9rsEYY5gmjG7SoCsjSzs6uAV2N0ds7ajfTT/oUqQFD5ft7qzF5ncw r52Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7sWbJrRXSp2TG3rlJSziNYBoGm6eiXxI3W3rYheAD0M=; b=ySCj6C8WnKUhP7Im9FAEL+Dy1pHHblBwcjb7H+oPhKtr/1ogZAiVojtZI62+ELhytj 6Vff7tHm2TaMOcDPTEjwcDzftuX6hl6duaL2zMfND3PS/bcZmO9kKwQEJ4m/6mVAQqM/ xqr0qXWc+kKiOIQv4YlSM9XJ/suRmjEw4GVTnmrehGplTLG0T3HnQyaRyRY+PlsNNDRV sIAUKQjutoevIz01p3gzdlPJ8MmuyekdphUU40EiUTujWNUL/00NNJHDbIHM0y15c0aJ CH5iDJr+vQjhObeqIzfzbsHbcsconXCK7mwo6nLKaBU0l6kgZZ8nfwEHMQt+jcFuUwXY lNpg== X-Gm-Message-State: AOAM533QKtBSKTHbffjok/lIOevBBekr5jT2msGlFgMNm6ETXB542AXM GuzntnE7b5ud73CChLO75kPvzhvKttj92sg32JA= X-Google-Smtp-Source: ABdhPJwfZ42SoJmxekbbj0Trkuvffjcb+tWnloDV/fDfGzRXJW9jfK1IaFB2zNp+APrgHLdI3zEX+aadTZINqa7yU3c= X-Received: by 2002:a05:6402:3604:b0:41c:c4e6:2988 with SMTP id el4-20020a056402360400b0041cc4e62988mr12668843edb.157.1650294147148; Mon, 18 Apr 2022 08:02:27 -0700 (PDT) MIME-Version: 1.0 References: <04f7f71d-16db-ce88-f359-f7d60c0a798e@linux.ibm.com> <41e89e78-67f2-77d2-60f4-63b2bb86d60f@linux.ibm.com> In-Reply-To: <41e89e78-67f2-77d2-60f4-63b2bb86d60f@linux.ibm.com> From: Ratan Gupta Date: Mon, 18 Apr 2022 20:32:16 +0530 Message-ID: Subject: Re: Security Working Group meeting - Wednesday April 13 - results To: Joseph Reynolds Content-Type: multipart/alternative; boundary="0000000000006a6f0005dcef0c04" X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: openbmc Errors-To: openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Sender: "openbmc" --0000000000006a6f0005dcef0c04 Content-Type: text/plain; charset="UTF-8" Hi Team, Apparmor doesn't work with openbmc stack, I tried it around 6 months back, opened up the issue and finally it was told by the apparmor that it is not trivial one. https://gitlab.com/apparmor/apparmor/-/issues/183 Ratan On Thu, Apr 14, 2022 at 3:00 AM Joseph Reynolds wrote: > On 4/12/22 11:28 AM, Joseph Reynolds wrote: > > This is a reminder of the OpenBMC Security Working Group meeting > > scheduled for this Wednesday April 13 at 10:00am PDT. > > > > We'll discuss the following items on the agenda > > < > https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, > > > and anything else that comes up: > > > > Attended: Joseph Reynolds, Ruud Haring, Chris Engel, Dick (Phoenix), > Dong Chen, Jesse Arroyo, Yakatawa Sugawara, Russel Wilson, Krishnan > Sugvanam, Manojkiran Eda, McCawley, Robert Senger, Sandhya Keteshwara, > Surya (Intel), James Mihm, Terry Duncan, (and unknown caller who joined > as the meeting was ending). > > > > 1. Renewed interest in securing D-Bus interfaces and using SELinux. > > Ruud Haring and Yataka Sugawara and Russel Wilson from IBM Research > presented a proposal. > > > A recording was made of the presentation and discussion. TODO: Post the > recording. > > > DISCUSSION: > > The proposal PDF will be shared with the OpenBMC community. Here is my > summary of the main points: SELinux is preferred by IBM and some large > customers to solve several related access control problems: limiting > access of root processes, application trust, systemd, and D-Bus. See > previous discussion 2020-05-13 below: SELinux email use cases and email > https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html > > > > Next steps: Follow > > https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes > < > https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes>with > > email discussion, Discord (per > https://github.com/openbmc/openbmc#contact > ) and creating a design for > phase 1 (below). > > > TODO: Joseph to send email to begin the discussion about SELinux use > cases which might be shared by multiple OpenBMC users. > > > IBM plans to work in the OpenBMC community project: stage 1 is an opt-in > SELinux in permissive mode to collect data about which policies are > needed. Later stages are to create SELinux policies for access control, > and then to change configure SELinux to enforce them. > > > Does OpenBMC have existing SELinux policies? None are known, but see > the Yocto/OE meta-selinux layer and associated docs. > > > We discussed some difficulties in using SELinux: Configuring the > meta-selinux layer, configuring the Linux Kernel, and additional space > requirements (about 20MB) > > > We discussed SELinux vs AppArmor. IBM has chosen SELinux because it is > well known to IBM and customers, and has an active community. Note the > planned SELinux support is opt-in, so another contributor can add > AppArmor as needed. > > > The intended reference platform is an x86 system running with the > AST2600 and 256Mb (or more) flash storage.. > > > We discussed SELinux & D-Bus tie-ins. (OpenBMC D-Bus runs in system > mode.) Note that D-Bus has built-in support for SELinux. > > > > > Access, agenda and notes are in the wiki: > > https://github.com/openbmc/openbmc/wiki/Security-working-group > > > > > > - Joseph > > > > --0000000000006a6f0005dcef0c04 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Team,

Apparmor doesn't work with= openbmc stack, I tried it around 6 months back, opened up the issue and fi= nally=C2=A0it was told by the apparmor that it is not trivial one.

Ratan

On Thu, Apr 14, 2022 at 3:00 AM Joseph Reynolds <= jrey@linux.ibm.com> wrote:
=
On 4/12/22 11:28 AM= , Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday April 13 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs= .google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>= ,
> and anything else that comes up:
>

Attended: Joseph Reynolds, Ruud Haring, Chris Engel, Dick (Phoenix),
Dong Chen, Jesse Arroyo, Yakatawa Sugawara, Russel Wilson, Krishnan
Sugvanam, Manojkiran Eda, McCawley, Robert Senger, Sandhya Keteshwara,
Surya (Intel), James Mihm, Terry Duncan, (and unknown caller who joined as the meeting was ending).


> 1. Renewed interest in securing D-Bus interfaces and using SELinux.
Ruud Haring and Yataka Sugawara and Russel Wilson from IBM Research
presented a proposal.


A recording was made of the presentation and discussion.=C2=A0 TODO: Post t= he
recording.


DISCUSSION:

The proposal PDF will be shared with the OpenBMC community.=C2=A0 Here is m= y
summary of the main points: SELinux is preferred by IBM and some large
customers to solve several related access control problems: limiting
access of root processes, application trust, systemd, and D-Bus.=C2=A0 See =
previous discussion 2020-05-13 below: SELinux email use cases and email https://lists.ozlabs.org/pipermail/= openbmc/2020-April/021477.html
<https://lists.ozlabs.org/piperm= ail/openbmc/2020-April/021477.html>


Next steps: Follow
https://github.com/openb= mc/docs/blob/master/CONTRIBUTING.md#planning-changes
<https://github.com/o= penbmc/docs/blob/master/CONTRIBUTING.md#planning-changes>with
email discussion, Discord (per
https://github.com/openbmc/openbmc#contact
<https://github.com/openbmc/openbmc#contact>) an= d creating a design for
phase 1 (below).


TODO: Joseph to send email to begin the discussion about SELinux use
cases which might be shared by multiple OpenBMC users.


IBM plans to work in the OpenBMC community project: stage 1 is an opt-in SELinux in permissive mode to collect data about which policies are
needed.=C2=A0 Later stages are to create SELinux policies for access contro= l,
and then to change configure SELinux to enforce them.


Does OpenBMC have existing SELinux policies?=C2=A0 None are known, but see =
the Yocto/OE meta-selinux layer and associated docs.


We discussed some difficulties in using SELinux: Configuring the
meta-selinux layer, configuring the Linux Kernel, and additional space
requirements (about 20MB)


We discussed SELinux vs AppArmor.=C2=A0 IBM has chosen SELinux because it i= s
well known to IBM and customers, and has an active community.=C2=A0 Note th= e
planned SELinux support is opt-in, so another contributor can add
AppArmor as needed.


The intended reference platform is an x86 system running with the
AST2600 and=C2=A0 256Mb (or more) flash storage..


We discussed SELinux & D-Bus tie-ins.=C2=A0 (OpenBMC D-Bus runs in syst= em
mode.)=C2=A0 Note that D-Bus has built-in support for SELinux.



> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbm= c/wiki/Security-working-group
> <https://github.com/openbmc/op= enbmc/wiki/Security-working-group>
>
> - Joseph
>

--0000000000006a6f0005dcef0c04--