[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
Kok, Auke-jan H
auke-jan.h.kok at intel.com
Mon Oct 28 23:48:45 CET 2013
On Mon, Oct 28, 2013 at 1:09 PM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Mon, 28.10.13 12:59, Kok, Auke-jan H (auke-jan.h.kok at intel.com) wrote:
>
>>
>> On Mon, Oct 28, 2013 at 8:58 AM, Lennart Poettering
>> <lennart at poettering.net> wrote:
>> > On Mon, 28.10.13 19:44, WaLyong Cho (walyong.cho at samsung.com) wrote:
>> >
>> >> At the same reason of /run and /dev/shm, when systemd is running with
>> >> SMACK, countless tasks are failed by missed privilege.
>> >> To avoid, /tmp is assigned '*' label.
>> >
>> > Won't this break if people compile systemd with SMACK enabled but
>> > run a kernel that has it disabled?
>> >
>> > We had a similar problem for the other mounts like /run, where we found
>> > a somewhat nice solution, but I am not sure how we can make the same
>> > work here...
>>
>> Our posts intersected, badly. Yes, as I said in my mail, this sadly
>> does a bad job for those folks running with smack enabled in systemd
>> but with it disabled in the kernel.
>>
>> For Tizen, we're thinking of just keeping this patch out of tree (and
>> it will just be a one-liner).
>>
>> We could do a ConditionSecurity=Smack, or something like that (ottomh)
>> but we'd get duplicate tmp mounts, which is bad due to the way we name
>> mount units. ick.
>
> Hmm, here's an idea: there has been a long standig feature request to
> add a configurable boolean to mount unit files that controls
> /bin/mount's "-s" switch. Let's say we call it
> "SloppyOptions=yes/no", or so. Then, we could set this for this unit
> file and apply the rest of the patch and things should work, and where
> they don't we can easily reassign to the kernel to respect the "-s" flag
> properly.
>
> Doing a patch that allows "-s" to be controlled should be fairly easy,
> would be happy to merge a patch for that!
ahhh I hadn't even seen -s in /bin/mount yet, so I can see this
helping out a lot.
I'd be okay with a solution like that, it would certainly simplify
things a lot, but we need to be careful not to overload mount options
with all sorts of nonstandard options - it will make problems harder
to debug and for some of these security enabled systems we will most
likely want to actually _not_ use -s. After all, we want to make sure
we're actually booting with properly setup Smack options e.g. a typo
in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate).
Auke
More information about the systemd-devel
mailing list