<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 10/29/2013 07:48 AM, Kok, Auke-jan H
wrote:<br>
</div>
<blockquote
cite="mid:CABsxX9KAZ8Xq46U6h9sXL8rUeXX8G72CEzJP9VzVZoHECLJU3w@mail.gmail.com"
type="cite">
<pre wrap="">On Mon, Oct 28, 2013 at 1:09 PM, Lennart Poettering
<a class="moz-txt-link-rfc2396E" href="mailto:lennart@poettering.net"><lennart@poettering.net></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Mon, 28.10.13 12:59, Kok, Auke-jan H (<a class="moz-txt-link-abbreviated" href="mailto:auke-jan.h.kok@intel.com">auke-jan.h.kok@intel.com</a>) wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
On Mon, Oct 28, 2013 at 8:58 AM, Lennart Poettering
<a class="moz-txt-link-rfc2396E" href="mailto:lennart@poettering.net"><lennart@poettering.net></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Mon, 28.10.13 19:44, WaLyong Cho (<a class="moz-txt-link-abbreviated" href="mailto:walyong.cho@samsung.com">walyong.cho@samsung.com</a>) wrote:
</pre>
<blockquote type="cite">
<pre wrap="">At the same reason of /run and /dev/shm, when systemd is running with
SMACK, countless tasks are failed by missed privilege.
To avoid, /tmp is assigned '*' label.
</pre>
</blockquote>
<pre wrap="">
Won't this break if people compile systemd with SMACK enabled but
run a kernel that has it disabled?
We had a similar problem for the other mounts like /run, where we found
a somewhat nice solution, but I am not sure how we can make the same
work here...
</pre>
</blockquote>
<pre wrap="">
Our posts intersected, badly. Yes, as I said in my mail, this sadly
does a bad job for those folks running with smack enabled in systemd
but with it disabled in the kernel.
For Tizen, we're thinking of just keeping this patch out of tree (and
it will just be a one-liner).
We could do a ConditionSecurity=Smack, or something like that (ottomh)
but we'd get duplicate tmp mounts, which is bad due to the way we name
mount units. ick.
</pre>
</blockquote>
<pre wrap="">
Hmm, here's an idea: there has been a long standig feature request to
add a configurable boolean to mount unit files that controls
/bin/mount's "-s" switch. Let's say we call it
"SloppyOptions=yes/no", or so. Then, we could set this for this unit
file and apply the rest of the patch and things should work, and where
they don't we can easily reassign to the kernel to respect the "-s" flag
properly.
Doing a patch that allows "-s" to be controlled should be fairly easy,
would be happy to merge a patch for that!
</pre>
</blockquote>
<pre wrap="">
ahhh I hadn't even seen -s in /bin/mount yet, so I can see this
helping out a lot.
I'd be okay with a solution like that, it would certainly simplify
things a lot, but we need to be careful not to overload mount options
with all sorts of nonstandard options - it will make problems harder
to debug and for some of these security enabled systems we will most
likely want to actually _not_ use -s. After all, we want to make sure
we're actually booting with properly setup Smack options e.g. a typo
in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate).
Auke
</pre>
</blockquote>
I am not sure we can use the -s option. First I tried that in my
fedora machine.<br>
<br>
<blockquote># mount -t tmpfs -s -o
mode=1777,strictatime,smackfsroot=* tmpfs /test<br>
mount: wrong fs type, bad option, bad superblock on tmpfs,<br>
missing codepage or helper program, or other error<br>
<br>
In some cases useful info is found in syslog - try<br>
dmesg | tail or so.<br>
<br>
# dmesg<br>
[ 752.222803] tmpfs: Bad mount option smackfsroot<br>
</blockquote>
<br>
In spite of the -s option, we can still see "Bad mount option
smackfsroot". Was I something wrong?<br>
<br>
How about add specific options for smack? According to<br>
<a class="moz-txt-link-freetext" href="http://schaufler-ca.com/description_from_the_linux_source_tree">http://schaufler-ca.com/description_from_the_linux_source_tree</a><br>
<br>
Smack supports some mount options:<br>
<br>
smackfsdef=label: specifies the label to give files that lack<br>
the Smack label extended attribute.<br>
<br>
smackfsroot=label: specifies the label to assign the root of the<br>
file system if it lacks the Smack extended attribute.<br>
<br>
smackfshat=label: specifies a label that must have read access
to<br>
all labels set on the filesystem. Not yet enforced.<br>
<br>
smackfsfloor=label: specifies a label to which all labels set on
the<br>
filesystem must have read access. Not yet enforced.<br>
<br>
If we support 'SmackFsRoot=label' option and append the
'smackfsroot' option after checking the smack by
test_security("smack"), then I think we can solve most
problems.(with Auke's worry)<br>
<br>
WaLyong<br>
</body>
</html>