[systemd-devel] [PATCH-v3 1/2] systemd: mount the securityfs filesystem at early stage
Roberto Sassu
roberto.sassu at polito.it
Wed Mar 14 10:13:35 PDT 2012
On 03/14/2012 05:54 PM, Lennart Poettering wrote:
> On Tue, 13.03.12 19:38, Roberto Sassu (roberto.sassu at polito.it) wrote:
>
>>>> static const MountPoint mount_table[] = {
>>>> { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>>>> { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>>>> { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID, true },
>>>> + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>>>
>>> Failure to mount securtiyfs might be fatal for _your_ purposes, but I'd
>>> wager that not only are some people not interested in this, but some
>>> people (myself included) might not even have securityfs in their kernel.
>>>
>>
>> Hi Dave
>>
>> i think i can change this to false without breaking
>> the other code, because at the beginning of the new
>> file 'src/ima-setup.c' i check for the IMA support in
>> the kernel by checking the existence of the
>> '/sys/kernel/security/ima' directory. If the mount
>> fails, this will be handled as the same as when the
>> IMA support is disabled in the kernel.
>> This could be acceptable because IMA requires the
>> security filesystem as dependency.
>>
>> I'll wait for other comments before reposting the patches.
>
> Yes, please change this. It is important to us that systemd works well
> on kernels without any special security features enabled.
>
Hi Lennart
ok, will do.
> Also, may I ask you to turn this feature on in configure, by default? I
> presume that machines with this feature built into systemd but with no
> policy file around will boot just fine, right? Hence enabling this by
> default shouldn't hurt.
>
Sure. Yes, the code returns immediately if the policy file is missing.
> (The reason that I want this enabled by default is that I -- or other
> devs -- build this locally the code as comprehensively as possible so
> that things don't start to bitrot that easily)
>
This is good, as users will not need to rebuild the RPM with the IMA
feature enabled but they can try this functionality if they want.
Regards
Roberto Sassu
> Lennart
>
More information about the systemd-devel
mailing list