[systemd-commits] 5 commits - TODO man/systemd.socket.xml src/core src/login
Lennart Poettering
lennart at kemper.freedesktop.org
Mon Oct 29 19:41:56 PDT 2012
TODO | 2 ++
man/systemd.socket.xml | 20 ++++++++++++++++++++
src/core/dbus-socket.c | 6 ++++++
src/core/kmod-setup.c | 7 ++++---
src/core/load-fragment-gperf.gperf.m4 | 3 +++
src/core/mount-setup.c | 1 +
src/core/socket.c | 32 ++++++++++++++++++++++++++++++++
src/core/socket.h | 4 ++++
src/login/logind-button.c | 19 +++++--------------
src/login/logind-dbus.c | 14 +++++---------
src/login/logind-session-dbus.c | 18 ++++++++++++++++++
src/login/logind-session.h | 1 +
12 files changed, 101 insertions(+), 26 deletions(-)
New commits:
commit 0eb59ccfe619cbc4b42ef8ff02b52971994dfe05
Author: Auke Kok <auke-jan.h.kok at intel.com>
Date: Mon Oct 29 15:30:05 2012 -0700
SMACK: Add configuration options. (v3)
This adds SMACK label configuration options to socket units.
SMACK labels should be applied to most objects on disk well before
execution time, but two items remain that are generated dynamically
at run time that require SMACK labels to be set in order to enforce
MAC on all objects.
Files on disk can be labelled using package management.
For device nodes, simple udev rules are sufficient to add SMACK labels
at boot/insertion time.
Sockets can be created at run time and systemd does just that for
several services. In order to protect FIFO's and UNIX domain sockets,
we must instruct systemd to apply SMACK labels at runtime.
This patch adds the following options:
Smack - applicable to FIFO's.
SmackIpIn/SmackIpOut - applicable to sockets.
No external dependencies are required to support SMACK, as setting
the labels is done using fsetxattr(). The labels can be set on a
kernel that does not have SMACK enabled either, so there is no need
to #ifdef any of this code out.
For more information about SMACK, please see Documentation/Smack.txt
in the kernel source code.
v3 of this patch changes the config options to be CamelCased.
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 9db39b1..ae8497e 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -485,6 +485,26 @@
</varlistentry>
<varlistentry>
+ <term><varname>SmackLabel=</varname></term>
+ <term><varname>SmackLabelIPIn=</varname></term>
+ <term><varname>SmackLabelIPOut=</varname></term>
+ <listitem><para>Takes a string
+ value. Controls the extended
+ attributes
+ <literal>security.SMACK64</literal>,
+ <literal>security.SMACK64IPIN</literal>
+ and
+ <literal>security.SMACK64IPOUT</literal>,
+ respectively, i.e. the security label
+ of the FIFO, or the security label for
+ the incoming or outgoing connections
+ of the socket, respectively. See
+ <ulink
+ url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
+ for details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>PipeSize=</varname></term>
<listitem><para>Takes an integer
value. Controls the pipe buffer size
diff --git a/src/core/dbus-socket.c b/src/core/dbus-socket.c
index c57cce1..095a031 100644
--- a/src/core/dbus-socket.c
+++ b/src/core/dbus-socket.c
@@ -63,6 +63,9 @@
" <property name=\"MessageQueueMaxMessages\" type=\"x\" access=\"read\"/>\n" \
" <property name=\"MessageQueueMessageSize\" type=\"x\" access=\"read\"/>\n" \
" <property name=\"Result\" type=\"s\" access=\"read\"/>\n" \
+ " <property name=\"SmackLabel\" type=\"s\" access=\"read\"/>\n" \
+ " <property name=\"SmackLabelIPIn\" type=\"s\" access=\"read\"/>\n" \
+ " <property name=\"SmackLabelIPOut\" type=\"s\" access=\"read\"/>\n" \
" </interface>\n" \
#define INTROSPECTION \
@@ -126,6 +129,9 @@ static const BusProperty bus_socket_properties[] = {
{ "MessageQueueMaxMessages", bus_property_append_long, "x", offsetof(Socket, mq_maxmsg) },
{ "MessageQueueMessageSize", bus_property_append_long, "x", offsetof(Socket, mq_msgsize) },
{ "Result", bus_socket_append_socket_result, "s", offsetof(Socket, result) },
+ { "SmackLabel", bus_property_append_string, "s", offsetof(Socket, smack), true },
+ { "SmackLabelIPIn", bus_property_append_string, "s", offsetof(Socket, smack_ip_in), true },
+ { "SmackLabelIPOut",bus_property_append_string, "s", offsetof(Socket, smack_ip_out), true },
{ NULL, }
};
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index 8187cd4..0c5cceb 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -208,6 +208,9 @@ Socket.TCPCongestion, config_parse_string, 0,
Socket.MessageQueueMaxMessages, config_parse_long, 0, offsetof(Socket, mq_maxmsg)
Socket.MessageQueueMessageSize, config_parse_long, 0, offsetof(Socket, mq_msgsize)
Socket.Service, config_parse_socket_service, 0, 0
+Socket.SmackLabel, config_parse_string, 0, offsetof(Socket, smack)
+Socket.SmackLabelIPIn, config_parse_string, 0, offsetof(Socket, smack_ip_in)
+Socket.SmackLabelIPOut, config_parse_string, 0, offsetof(Socket, smack_ip_out)
EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
m4_dnl
diff --git a/src/core/socket.c b/src/core/socket.c
index 71cdf2d..c095981 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -28,6 +28,7 @@
#include <signal.h>
#include <arpa/inet.h>
#include <mqueue.h>
+#include <attr/xattr.h>
#include "unit.h"
#include "socket.h"
@@ -131,6 +132,10 @@ static void socket_done(Unit *u) {
free(s->bind_to_device);
s->bind_to_device = NULL;
+ free(s->smack);
+ free(s->smack_ip_in);
+ free(s->smack_ip_out);
+
unit_unwatch_timer(u, &s->timer_watch);
}
@@ -508,6 +513,21 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
"%sMessageQueueMessageSize: %li\n",
prefix, s->mq_msgsize);
+ if (s->smack)
+ fprintf(f,
+ "%sSmackLabel: %s\n",
+ prefix, s->smack);
+
+ if (s->smack_ip_in)
+ fprintf(f,
+ "%sSmackLabelIPIn: %s\n",
+ prefix, s->smack_ip_in);
+
+ if (s->smack_ip_out)
+ fprintf(f,
+ "%sSmackLabelIPOut: %s\n",
+ prefix, s->smack_ip_out);
+
LIST_FOREACH(port, p, s->ports) {
if (p->type == SOCKET_SOCKET) {
@@ -747,6 +767,14 @@ static void socket_apply_socket_options(Socket *s, int fd) {
if (s->tcp_congestion)
if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
log_warning("TCP_CONGESTION failed: %m");
+
+ if (s->smack_ip_in)
+ if (fsetxattr(fd, "security.SMACK64IPIN", s->smack_ip_in, strlen(s->smack_ip_in), 0) < 0)
+ log_error("fsetxattr(\"security.SMACK64IPIN\"): %m");
+
+ if (s->smack_ip_out)
+ if (fsetxattr(fd, "security.SMACK64IPOUT", s->smack_ip_out, strlen(s->smack_ip_out), 0) < 0)
+ log_error("fsetxattr(\"security.SMACK64IPOUT\"): %m");
}
static void socket_apply_fifo_options(Socket *s, int fd) {
@@ -756,6 +784,10 @@ static void socket_apply_fifo_options(Socket *s, int fd) {
if (s->pipe_size > 0)
if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
log_warning("F_SETPIPE_SZ: %m");
+
+ if (s->smack)
+ if (fsetxattr(fd, "security.SMACK64", s->smack, strlen(s->smack), 0) < 0)
+ log_error("fsetxattr(\"security.SMACK64\"): %m");
}
static int fifo_address_create(
diff --git a/src/core/socket.h b/src/core/socket.h
index a06b3ea..f099520 100644
--- a/src/core/socket.h
+++ b/src/core/socket.h
@@ -144,6 +144,10 @@ struct Socket {
/* Only for INET6 sockets: issue IPV6_V6ONLY sockopt */
SocketAddressBindIPv6Only bind_ipv6_only;
+
+ char *smack;
+ char *smack_ip_in;
+ char *smack_ip_out;
};
/* Called from the service code when collecting fds */
commit 978cf3c75fbd94fd0e046206ada6169b35edd919
Author: Lennart Poettering <lennart at poettering.net>
Date: Sun Oct 28 17:37:16 2012 +0100
logind: it's OK if a process on an pty requests a session for seat0
After all, if a sudo/su inside an X terminal should get added to the
same session as the X session itself.
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index 4326e5b..8b6021d 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -415,8 +415,7 @@ static int bus_manager_create_session(Manager *m, DBusMessage *message, DBusMess
if (vtnr != 0)
return -EINVAL;
- } else if (!isempty(tty) && s && seat_is_vtconsole(s))
- return -EINVAL;
+ }
if (s) {
if (seat_can_multi_session(s)) {
commit 7ba643863116cd0b5abf048e53321f93e5743f69
Author: Lennart Poettering <lennart at poettering.net>
Date: Sun Oct 28 17:25:23 2012 +0100
logind: unify all session lock loop
diff --git a/src/login/logind-button.c b/src/login/logind-button.c
index 7788526..8bbd731 100644
--- a/src/login/logind-button.c
+++ b/src/login/logind-button.c
@@ -150,18 +150,6 @@ fail:
return r;
}
-static int lock_sessions(Manager *m) {
- Iterator i;
- Session *session;
-
- log_info("Locking sessions...");
-
- HASHMAP_FOREACH(session, m->sessions, i)
- session_send_lock(session, true);
-
- return 1;
-}
-
static int button_handle(
Button *b,
InhibitWhat inhibit_key,
@@ -208,8 +196,11 @@ static int button_handle(
}
/* Locking is handled differently from the rest. */
- if (handle == HANDLE_LOCK)
- return lock_sessions(b->manager);
+ if (handle == HANDLE_LOCK) {
+ log_info("Locking sessions...");
+ session_send_lock_all(b->manager, true);
+ return 1;
+ }
inhibit_operation = handle == HANDLE_SUSPEND || handle == HANDLE_HIBERNATE || handle == HANDLE_HYBRID_SLEEP ? INHIBIT_SLEEP : INHIBIT_SHUTDOWN;
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index 3bcb91b..4326e5b 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -1812,7 +1812,7 @@ static DBusHandlerResult manager_message_handler(
session = hashmap_get(m->sessions, name);
if (!session)
- return bus_send_error_reply(connection, message, &error, -ENOENT);
+ return bus_send_error_reply(connection, message, NULL, -ENOENT);
if (session_send_lock(session, streq(dbus_message_get_member(message), "LockSession")) < 0)
goto oom;
@@ -1822,12 +1822,9 @@ static DBusHandlerResult manager_message_handler(
goto oom;
} else if (dbus_message_is_method_call(message, "org.freedesktop.login1.Manager", "LockSessions")) {
- Session *session;
- Iterator i;
-
- HASHMAP_FOREACH(session, m->sessions, i)
- if (session_send_lock(session, true) < 0)
- goto oom;
+ r = session_send_lock_all(m, true);
+ if (r < 0)
+ bus_send_error_reply(connection, message, NULL, r);
reply = dbus_message_new_method_return(message);
if (!reply)
diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
index 26c853e..ef73cd4 100644
--- a/src/login/logind-session-dbus.c
+++ b/src/login/logind-session-dbus.c
@@ -570,3 +570,21 @@ int session_send_lock(Session *s, bool lock) {
return 0;
}
+
+int session_send_lock_all(Manager *m, bool lock) {
+ Session *session;
+ Iterator i;
+ int r = 0;
+
+ assert(m);
+
+ HASHMAP_FOREACH(session, m->sessions, i) {
+ int k;
+
+ k = session_send_lock(session, lock);
+ if (k < 0)
+ r = k;
+ }
+
+ return r;
+}
diff --git a/src/login/logind-session.h b/src/login/logind-session.h
index bfa4abd..7598afa 100644
--- a/src/login/logind-session.h
+++ b/src/login/logind-session.h
@@ -132,6 +132,7 @@ extern const DBusObjectPathVTable bus_session_vtable;
int session_send_signal(Session *s, bool new_session);
int session_send_changed(Session *s, const char *properties);
int session_send_lock(Session *s, bool lock);
+int session_send_lock_all(Manager *m, bool lock);
const char* session_state_to_string(SessionState t);
SessionState session_state_from_string(const char *s);
commit faf22b6559a747ca6b2185b816d60cce376b11c8
Author: Lennart Poettering <lennart at poettering.net>
Date: Sun Oct 28 13:55:47 2012 +0100
update TODO
diff --git a/TODO b/TODO
index d2e3ef3..ad4670c 100644
--- a/TODO
+++ b/TODO
@@ -24,6 +24,8 @@ Features:
- find out what to do for blockdevs and skipping scsi modaliases
- move writing code to src/libudev/libudev-hwdb-private.c
+* sudo/pam_systemd borked and yields EINVAL, kill-session= is broken
+
* sd_journal_enumerate_data() implies XZ-decoding compressed field, this sucks hard
* if booted in "quiet" mode, and an error happens, turn on status output again, so that the emergency mode isn't totally surprising
commit f271dd97622b656c1c013d181ea615c671cc2438
Author: Lee, Chun-Yi <joeyli.kernel at gmail.com>
Date: Sat Oct 27 11:23:22 2012 +0800
systemd: mount the EFI variable filesystem
Add efivarfs to the mount_table in mount-setup.c, so the EFI variable
filesystem will be mounted when systemd executed.
The EFI variable filesystem will merge in v3.7 or v3.8 linux kernel.
Cc: Kay Sievers <kay at vrfy.org>
Cc: Lennart Poettering <lennart at poettering.net>
Cc: Mantas MikulÄ—nas <grawity at gmail.com>
Cc: Zbigniew Jędrzejewski-Szmek <zbyszek at in.waw.pl>
Cc: Matt Fleming <matt.fleming at intel.com>
Cc: Jeremy Kerr <jeremy.kerr at canonical.com>
Cc: Matthew Garrett <mjg at redhat.com>
Signed-off-by: Lee, Chun-Yi <jlee at suse.com>
diff --git a/src/core/kmod-setup.c b/src/core/kmod-setup.c
index cc2a2d9..ce8a8e7 100644
--- a/src/core/kmod-setup.c
+++ b/src/core/kmod-setup.c
@@ -31,9 +31,10 @@
#include "kmod-setup.h"
static const char * const kmod_table[] = {
- "autofs4", "/sys/class/misc/autofs",
- "ipv6", "/sys/module/ipv6",
- "unix", "/proc/net/unix"
+ "autofs4", "/sys/class/misc/autofs",
+ "ipv6", "/sys/module/ipv6",
+ "efivarfs", "/sys/firmware/efi/efivars",
+ "unix", "/proc/net/unix"
};
#pragma GCC diagnostic push
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index 0fd112f..9894c7f 100644
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -66,6 +66,7 @@ static const MountPoint mount_table[] = {
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true, true },
{ "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true, true },
{ "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false },
+ { "efivarfs", "/sys/firmware/efi/efivars", "efivarfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false },
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, true },
{ "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false, true },
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, true },
More information about the systemd-commits
mailing list