Embedded systems are popular these days due to the rise of intelligent devices on almost all application domains. Some of the domains are sensitive to the cost structure, and the system vendors usually leverage an off-the-shelf Linux distribution to deal with it. OpenWrt is such a distro stemmed from home WiFi router application.
These embedded devices are very susceptible to security vulnerabilities, as they are always powered-on, and usually have no updates after manufacture (unless malfunctioning). OpenWrt is no exception. Although the community already tries its best to bring the state-of-art hardening to date, it is just insufficient as there are too many software packages but too few people maintaining. As a consequence per “defense in depth”concept, Thomas Petazzoni from bootlin initiated the work in 2019 bringing SELinux to OpenWrt, and the work has been merged to the mainstream as of today.
Unfortunately the work addresses only the very first part of porting: necessary user-space packages and related kernel options, but not the bundled Reference Policy. After a detailed examination, we realized OpenWrt is simply different from any conventional Linux distro, in at least following aspects 1) its init, procd, is actually a complex combining device discovery and service management, 2) by default, it prefers resource-constrained implementation instead of full-fledged 3) It adapts itself to be stateless by mounting tmpfs for /tmp and symbolic-linking /var onto it. Necessities for system boot-up like /var/lock directory are created on-the-fly by its one-of-a-kind preinit and service control scripts 4) it deploys ubus, a simplified Remote Procedure Call facility, as standard D-Bus replacement. Those differences made OpenWrt unique, and not totally compatible with official Reference Policy.
Our work fills the gap to unleash the power of SELinux, in hope to bring security to everyone in a more friendly way (prevention rather than mitigation).
Associate Engineer, Division for Cyber and Data Security, ITRI ICL