[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
Kok, Auke-jan H
auke-jan.h.kok at intel.com
Thu Oct 31 21:20:18 CET 2013
On Thu, Oct 31, 2013 at 12:00 PM, Karel Zak <kzak at redhat.com> wrote:
> On Tue, Oct 29, 2013 at 01:27:07PM +0100, Lennart Poettering wrote:
>> On Tue, 29.10.13 16:02, WaLyong Cho (walyong.cho at samsung.com) wrote:
>>
>> > >> Hmm, here's an idea: there has been a long standig feature request to
>> > >> add a configurable boolean to mount unit files that controls
>> > >> /bin/mount's "-s" switch. Let's say we call it
>> > >> "SloppyOptions=yes/no", or so. Then, we could set this for this unit
>> > >> file and apply the rest of the patch and things should work, and where
>> > >> they don't we can easily reassign to the kernel to respect the "-s" flag
>> > >> properly.
>> > >>
>> > >> Doing a patch that allows "-s" to be controlled should be fairly easy,
>> > >> would be happy to merge a patch for that!
>> > > ahhh I hadn't even seen -s in /bin/mount yet, so I can see this
>> > > helping out a lot.
>> > >
>> > > I'd be okay with a solution like that, it would certainly simplify
>> > > things a lot, but we need to be careful not to overload mount options
>> > > with all sorts of nonstandard options - it will make problems harder
>> > > to debug and for some of these security enabled systems we will most
>> > > likely want to actually _not_ use -s. After all, we want to make sure
>> > > we're actually booting with properly setup Smack options e.g. a typo
>> > > in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate).
>> > >
>> > > Auke
>> > >
>> > I am not sure we can use the -s option. First I tried that in my fedora
>> > machine.
>> >
>> > # mount -t tmpfs -s -o mode=1777,strictatime,smackfsroot=* tmpfs /test
>
>
> BTW, for SELinux we remove selinux specific mount options in
> userspace (in mount(8)) if the kernel does not support selinux.
>
> It help us to make command line or fstab setting independent on the
> current kernel features.
>
> Maybe we can use the same for SMACK, is there any way how to
> determine that the system uses SMACK? (/proc/<something> or so...).
> -- for selinux we check for /sys/fs/selinux or /selinux.
Ohh yes that would be so nice.
You've got your choice for detecting smack, but I like
stat(/sys/fs/smackfs) == 0 the best so far. You can parse
/proc/filesystems for smackfs too, but that's obviously more complex.
This method works with 3.9 and above, as that's when we made sysfs
hold the mount point for smackfs.
I assume we're talking about this code here:
https://github.com/karelzak/util-linux/blob/master/libmount/src/context_mount.c#L181
?
Auke
More information about the systemd-devel
mailing list