[systemd-devel] [PATCH] smack: introduce new SmackLabelExec option

Lennart Poettering lennart at poettering.net
Fri Nov 7 08:36:42 PST 2014 

On Fri, 07.11.14 15:43, WaLyong Cho (walyong.cho at samsung.com) wrote:

> On 11/07/2014 09:35 AM, Lennart Poettering wrote:
> > On Fri, 07.11.14 04:17, WaLyong Cho (walyong.cho at gmail.com) wrote:
> > 
> >> SMACK64
> >> 	Used to make access control decisions. In almost all cases
> >> 	the label given to a new filesystem object will be the label
> >> 	of the process that created it.
> >> SMACK64EXEC
> >> 	The Smack label of a process that execs a program file with
> >> 	this attribute set will run with this attribute's value.
> > 
> > I am sorry, but I cannot parse this.
> > 
> > "The smack label .... will run with this attribute's value"? smack
> > labels "run"? That sentence makes no sense to me at all...
> > 
> > Again, what kind of objects are SMACK64 and SMACK64EXEC applied to?
> > files? processes?
>
> Sorry, I'm also confused.
> OK, I asked some about this to my security friend.
> And I add Casey Schaufler who the Author of smack.
> I hope my below explain it not wrong. But if not, please point out.
> 
> 
> Quoting the Wikipedia:
> >In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices etc.
> 
> 
> In case of SMACK, subject is SMACK64EXEC and object is SMACK64.
> Assume like this: /usr/bin/dbus-daemon has both label. SMACK64 is "foo"
> and SMACK64EXEC is "bar". And current process (what will execute the
> /usr/bin/dbus-daemon) has "foo" label. Let's assume the current
> process

So, here you are talking about *files* that have the SMACK64EXEC and
SMACK64 type labels, while the *process* only as one generic label
type.

With your patch you want to introduce SmackLabelExec= now. It's a
label applied to a *process* however, not to a *file*, right?

This appears incompatible to me: I mean, if a process only has one
single generic label, and doesn't distuingish between SMACK64 and
SMACK64EXEC type labels, why would you call the option SmackLabelExec=
and not the more generic SmackLabel=?

This really doesn't make sense to me.

I have no understanding of SMACK, and I am not sure I want to
understand it, and I figure I'd merge the patch regardless which name
you pick for the option, but this is a bit too blatantly contradictory
for me to completely ignore.

Let my simplify my questions:

a) Why would you call a setting that controls a label is written into
   /proc/$PID/attr/current SmackLabelExec= instead of just
   SmackLabel=?

b) If SmackLabelExec= is appropriate (which it might well be, after
   all I really don't grok this), and SmackLabel= is a misnomer that
   would suggest that something different would happen than actually
   assumed, then what would an option by the name SmackLabel= for a
   service unit do differntly from one called SmackLabelExec?

For both SELinux and AppArmor we now have simple options:
SELinuxContext= and AppArmorProfile=. They only come in one flavour,
and apply a label/profile to the process being executed and that's
it. Why would SMACK be more complicated there so that SmackLabel= and
SmackLabelExec= would even be a distinction?

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list