[systemd-commits] Makefile.am src/core src/shared

Auke-Jan Kok auke at kemper.freedesktop.org
Wed Oct 9 15:08:23 PDT 2013 

 Makefile.am             |    4 +++-
 src/core/mount-setup.c  |    9 +++++----
 src/shared/smack-util.c |   36 ++++++++++++++++++++++++++++++++++++
 src/shared/smack-util.h |   28 ++++++++++++++++++++++++++++
 4 files changed, 72 insertions(+), 5 deletions(-)

New commits:
commit 8552b17660033812080a11533bd0edce74401039
Author: Auke Kok <auke-jan.h.kok at intel.com>
Date:   Wed Oct 9 10:52:15 2013 -0700

    Smack: Test if smack is enabled before mounting
    
    Since on most systems with xattr systemd will compile with Smack
    support enabled, we still attempt to mount various fs's with
    Smack-only options.
    
    Before mounting any of these Smack-related filesystems with
    Smack specific mount options, check if Smack is functionally
    active on the running kernel.
    
    If Smack is really enabled in the kernel, all these Smack mounts
    are now *fatal*, as they should be.
    
    We no longer mount smackfs if systemd was compiled without
    Smack support. This makes it easier to make smackfs mount
    failures a critical error when Smack is enabled.
    
    We no longer mount these filesystems with their Smack specific
    options inside containers. There these filesystems will be
    mounted with there non-mount smack options for now.

diff --git a/Makefile.am b/Makefile.am
index 31dde6f..1458697 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -723,7 +723,9 @@ libsystemd_shared_la_SOURCES = \
 	src/shared/boot-timestamps.c \
 	src/shared/refcnt.h \
 	src/shared/mkdir.c \
-	src/shared/mkdir.h
+	src/shared/mkdir.h \
+	src/shared/smack-util.c \
+	src/shared/smack-util.h
 
 #-------------------------------------------------------------------------------
 noinst_LTLIBRARIES += \
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index 7845e88..73c2698 100644
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -42,6 +42,7 @@
 #include "missing.h"
 #include "virt.h"
 #include "efivars.h"
+#include "smack-util.h"
 
 #ifndef TTY_GID
 #define TTY_GID 5
@@ -77,11 +78,11 @@ static const MountPoint mount_table[] = {
           NULL,       MNT_FATAL|MNT_IN_CONTAINER },
         { "securityfs", "/sys/kernel/security",      "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
           NULL,       MNT_NONE },
-        { "smackfs",    "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
-          NULL,       MNT_NONE },
 #ifdef HAVE_SMACK
+        { "smackfs",    "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
+          use_smack,  MNT_FATAL },
         { "tmpfs",      "/dev/shm",                  "tmpfs",      "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
-          NULL,       MNT_IN_CONTAINER },
+          use_smack,  MNT_FATAL },
 #endif
         { "tmpfs",      "/dev/shm",                  "tmpfs",      "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
           NULL,       MNT_FATAL|MNT_IN_CONTAINER },
@@ -89,7 +90,7 @@ static const MountPoint mount_table[] = {
           NULL,       MNT_IN_CONTAINER },
 #ifdef HAVE_SMACK
         { "tmpfs",      "/run",                      "tmpfs",      "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
-          NULL,       MNT_IN_CONTAINER },
+          use_smack,  MNT_FATAL },
 #endif
         { "tmpfs",      "/run",                      "tmpfs",      "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
           NULL,       MNT_FATAL|MNT_IN_CONTAINER },
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
new file mode 100644
index 0000000..a73eaac
--- /dev/null
+++ b/src/shared/smack-util.c
@@ -0,0 +1,36 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+  This file is part of systemd.
+
+  Copyright 2013 Intel Corporation
+
+  Author: Auke Kok <auke-jan.h.kok at intel.com>
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include "smack-util.h"
+
+#include <unistd.h>
+
+static int use_smack_cached = -1;
+
+bool use_smack(void) {
+
+        if (use_smack_cached < 0)
+                use_smack_cached = (access("/sys/fs/smackfs", F_OK) >= 0);
+
+        return use_smack_cached;
+}
diff --git a/src/shared/smack-util.h b/src/shared/smack-util.h
new file mode 100644
index 0000000..7b950ea
--- /dev/null
+++ b/src/shared/smack-util.h
@@ -0,0 +1,28 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#pragma once
+
+/***
+  This file is part of systemd.
+
+  Copyright 2013 Intel Corporation
+
+  Author: Auke Kok <auke-jan.h.kok at intel.com>
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <stdbool.h>
+
+bool use_smack(void);

More information about the systemd-commits mailing list