[PATCH] build: allow configuring filter policy to be used in the init files

Dan Williams dcbw at redhat.com
Wed Apr 11 02:10:02 UTC 2018 

On Tue, 2018-04-10 at 15:08 +0200, Aleksander Morgado wrote:
> Distributions wanting to use a different filter policy than the
> DEFAULT one were advised to patch themselves the corresponding init
> files.
> 
> We now allow doing this directly at configure time by using a new
> `--with-filter-policy=[POLICY]' option that accepts one of "default",
> "strict", "paranoid" or "whitelist-only".
> 
> The suggested policy for standard distributions is "strict".
> ---
> 
> Hey,
> 
> Would this new configure switch be enough to avoid needing to patch
> the service file in each distribution?

So this would mostly work, except that if a specific user wants to
change their policy after install, they would now fail RPM verification
because the systemd unit files are not config files.

What Fedora typically does here would be something like:

EnvironmentFile=/etc/sysconfig/ModemManager
Exec=/usr/sbin/ModemManager --filter-policy=$FILTER_POLICY

and then install an /etc/sysconfig/ModemManager with:

FILTER_POLICY=strict

and mark /etc/sysconfig/ModemManager as %config in the RPM.

That allows the user to change the policy from the distro default via
/etc/sysconfig/ModemManager and still maintain package integrity with
"rpm -V".

Obviously this doesn't work for the D-Bus service file, but I guess we
could have a wrapper script that sources the env file and then runs MM
with the right parameters.

Or, for a distro-independent solution, a real config file...

Dan

> ---
>  configure.ac                                  | 24
> ++++++++++++++++++++++++
>  data/Makefile.am                              |  4 ++--
>  data/ModemManager.service.in                  |  2 +-
>  data/org.freedesktop.ModemManager1.service.in |  2 +-
>  4 files changed, 28 insertions(+), 4 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 9bf26ed2..3c8feadb 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -150,6 +150,29 @@ if test "x$enable_vala" = "xyes" -a ! -f
> "$VAPIGEN_MAKEFILE"; then
>    AC_MSG_ERROR([Vala bindings enabled but Makefile.vapigen not
> found. Install vala-devel, or pass --disable-vala])
>  fi
> 
> +dnl-----------------------------------------------------------------
> ------------
> +dnl Filter policy
> +dnl
> +
> +AC_ARG_WITH(filter-policy,
> +            AS_HELP_STRING([--with-filter-policy=(default|whitelist-
> only|strict|paranoid)],
> +            [which filter policy to request in the systemd init
> file]))
> +if test -n "$with_filter_policy" ; then
> +    case "$with_filter_policy" in
> +        "default") ;;
> +        "whitelist-only") ;;
> +        "strict") ;;
> +        "paranoid") ;;
> +        *)
> +            AC_MSG_ERROR([Wrong value for --with-filter-policy:
> $with_filter_policy])
> +            ;;
> +    esac
> +    FILTER_POLICY="$with_filter_policy"
> +else
> +    FILTER_POLICY="default"
> +fi
> +AC_SUBST(FILTER_POLICY)
> +
>  dnl-----------------------------------------------------------------
> ------------
>  dnl System paths
>  dnl
> @@ -443,6 +466,7 @@ echo "
>        systemd unit directory:  ${with_systemdsystemunitdir}
> 
>      Features:
> +      filter policy:           ${FILTER_POLICY}
>        udev:                    ${with_udev}
>        policykit:               ${with_polkit}
>        mbim:                    ${with_mbim}
> diff --git a/data/Makefile.am b/data/Makefile.am
> index ee05bdf6..aa12ee9b 100644
> --- a/data/Makefile.am
> +++ b/data/Makefile.am
> @@ -5,8 +5,8 @@ edit = @sed \
>         -e 's|@sbindir[@]|$(sbindir)|g' \
>         -e 's|@sysconfdir[@]|$(sysconfdir)|g' \
>         -e 's|@localstatedir[@]|$(localstatedir)|g' \
> -       -e 's|@libexecdir[@]|$(libexecdir)|g'
> -
> +       -e 's|@libexecdir[@]|$(libexecdir)|g' \
> +       -e 's|@FILTER_POLICY[@]|$(FILTER_POLICY)|g'
> 
>  # DBus Service file
>  dbusservicedir = $(DBUS_SYS_DIR)
> diff --git a/data/ModemManager.service.in
> b/data/ModemManager.service.in
> index 47867769..eb8545c1 100644
> --- a/data/ModemManager.service.in
> +++ b/data/ModemManager.service.in
> @@ -4,7 +4,7 @@ Description=Modem Manager
>  [Service]
>  Type=dbus
>  BusName=org.freedesktop.ModemManager1
> -ExecStart=@sbindir@/ModemManager
> +ExecStart=@sbindir@/ModemManager --filter-policy=@FILTER_POLICY@
>  StandardError=null
>  Restart=on-abort
>  CapabilityBoundingSet=CAP_SYS_ADMIN
> diff --git a/data/org.freedesktop.ModemManager1.service.in
> b/data/org.freedesktop.ModemManager1.service.in
> index 175f3dd2..91e50e34 100644
> --- a/data/org.freedesktop.ModemManager1.service.in
> +++ b/data/org.freedesktop.ModemManager1.service.in
> @@ -6,6 +6,6 @@
> 
>  [D-BUS Service]
>  Name=org.freedesktop.ModemManager1
> -Exec=@sbindir@/ModemManager
> +Exec=@sbindir@/ModemManager --filter-policy=@FILTER_POLICY@
>  User=root
>  SystemdService=dbus-org.freedesktop.ModemManager1.service
> --
> 2.16.1
> _______________________________________________
> ModemManager-devel mailing list
> ModemManager-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/modemmanager-devel

More information about the ModemManager-devel mailing list