Associate Engineer, Division for Cyber and Data Security, ITRI ICL
These embedded devices are very susceptible to security vulnerabilities, as they are always powered-on, and usually have no updates after manufacture (unless malfunctioning). OpenWrt is no exception. Although the community already tries its best to bring the state-of-art hardening to date, it is just insufficient as there are too many software packages but too few people maintaining. As a consequence per “defense in depth”concept, Thomas Petazzoni from bootlin initiated the work in 2019 bringing SELinux to OpenWrt, and the work has been merged to the mainstream as of today.
Unfortunately the work addresses only the very first part of porting: necessary user-space packages and related kernel options, but not the bundled Reference Policy. After a detailed examination, our work fills the gap to unleash the power of SELinux, in hope to bring security to everyone in a more friendly way (prevention rather than mitigation).