[systemd-devel] [PATCH-v3 1/2] systemd: mount the securityfs filesystem at early stage

Roberto Sassu roberto.sassu at polito.it
Wed Mar 14 10:13:35 PDT 2012


On 03/14/2012 05:54 PM, Lennart Poettering wrote:
> On Tue, 13.03.12 19:38, Roberto Sassu (roberto.sassu at polito.it) wrote:
>
>>>>   static const MountPoint mount_table[] = {
>>>>           { "proc",     "/proc",                  "proc",     NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>>>>           { "sysfs",    "/sys",                   "sysfs",    NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>>>>           { "devtmpfs", "/dev",                   "devtmpfs", "mode=755",          MS_NOSUID,                    true },
>>>> +        { "securityfs", "/sys/kernel/security", "securityfs", NULL,              MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>>>
>>> Failure to mount securtiyfs might be fatal for _your_ purposes, but I'd
>>> wager that not only are some people not interested in this, but some
>>> people (myself included) might not even have securityfs in their kernel.
>>>
>>
>> Hi Dave
>>
>> i think i can change this to false without breaking
>> the other code, because at the beginning of the new
>> file 'src/ima-setup.c' i check for the IMA support in
>> the kernel by checking the existence of the
>> '/sys/kernel/security/ima' directory. If the mount
>> fails, this will be handled as the same as when the
>> IMA support is disabled in the kernel.
>> This could be acceptable because IMA requires the
>> security filesystem as dependency.
>>
>> I'll wait for other comments before reposting the patches.
>
> Yes, please change this. It is important to us that systemd works well
> on kernels without any special security features enabled.
>

Hi Lennart

ok, will do.


> Also, may I ask you to turn this feature on in configure, by default? I
> presume that machines with this feature built into systemd but with no
> policy file around will boot just fine, right? Hence enabling this by
> default shouldn't hurt.
>

Sure. Yes, the code returns immediately if the policy file is missing.


> (The reason that I want this enabled by default is that I -- or other
> devs -- build this locally the code as comprehensively as possible so
> that things don't start to bitrot that easily)
>

This is good, as users will not need to rebuild the RPM with the IMA
feature enabled but they can try this functionality if they want.

Regards

Roberto Sassu


> Lennart
>



More information about the systemd-devel mailing list