[systemd-commits] 2 commits - configure.ac src/core
Auke-Jan Kok
auke at kemper.freedesktop.org
Mon Oct 7 10:30:03 PDT 2013
configure.ac | 6 ++++++
src/core/mount-setup.c | 8 ++++++++
src/core/smack-setup.c | 8 ++++++++
3 files changed, 22 insertions(+)
New commits:
commit 8b197c3a8a57c3f7c231b39e5660856fd9580c80
Author: Auke Kok <auke-jan.h.kok at intel.com>
Date: Wed Sep 25 15:49:42 2013 -0700
Run with a custom SMACK domain (label).
Allows the systemd --system process to change its current
SMACK label to a predefined custom label (usually "system")
at boot time.
This is needed to have a few system-generated folders and
sockets automatically be created with the right SMACK
label. Without that, processes either cannot communicate with
systemd or systemd fails to perform some actions.
diff --git a/configure.ac b/configure.ac
index 4f26092..00ee9bb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -524,6 +524,12 @@ else
fi
fi
+AC_ARG_WITH(smack-run-label,
+AS_HELP_STRING([--with-smack-run-label=STRING],
+ [run systemd --system with a specific SMACK label]),
+ [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run with a smack label])],
+ [])
+
if test "x${have_smack}" = xyes ; then
AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available])
fi
diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
index 1434dea..611bfdb 100644
--- a/src/core/smack-setup.c
+++ b/src/core/smack-setup.c
@@ -36,6 +36,7 @@
#include "macro.h"
#include "smack-setup.h"
#include "util.h"
+#include "fileio.h"
#include "log.h"
#include "label.h"
@@ -138,6 +139,13 @@ int smack_setup(void) {
return 0;
}
+#ifdef SMACK_RUN_LABEL
+ r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL);
+ if (r)
+ log_warning("Failed to set SMACK label \"%s\" on self: %s",
+ SMACK_RUN_LABEL, strerror(-r));
+#endif
+
r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
switch(r) {
case -ENOENT:
commit d407c9402064d8b9d1b12dca6ca1ddb2688e5454
Author: Auke Kok <auke-jan.h.kok at intel.com>
Date: Thu Sep 26 14:41:09 2013 -0700
Mount /run, /dev/shm usable to tasks when using SMACK.
Once systemd itself is running in a security domain for SMACK,
it will fail to start countless tasks due to missing privileges
for mounted and created directory structures. For /run and shm
specifically, we grant all tasks access.
These 2 mounts are allowed to fail, which will happen if the
system is not running a SMACK enabled kernel or security=none is
passed to the kernel.
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index 4359f59..7845e88 100644
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -79,10 +79,18 @@ static const MountPoint mount_table[] = {
NULL, MNT_NONE },
{ "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
NULL, MNT_NONE },
+#ifdef HAVE_SMACK
+ { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+ NULL, MNT_IN_CONTAINER },
+#endif
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
NULL, MNT_FATAL|MNT_IN_CONTAINER },
{ "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
NULL, MNT_IN_CONTAINER },
+#ifdef HAVE_SMACK
+ { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+ NULL, MNT_IN_CONTAINER },
+#endif
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
NULL, MNT_FATAL|MNT_IN_CONTAINER },
{ "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
More information about the systemd-commits
mailing list