[systemd-devel] [PATCH] SMACK: Add configuration options. (v3)

Schaufler, Casey casey.schaufler at intel.com
Tue Oct 30 15:35:43 PDT 2012


> -----Original Message-----
> From: Lennart Poettering [mailto:lennart at poettering.net]
> Sent: Tuesday, October 30, 2012 2:56 PM
> To: Kok, Auke-jan H
> Cc: Schaufler, Casey; systemd-devel at lists.freedesktop.org
> Subject: Re: [PATCH] SMACK: Add configuration options. (v3)
> 
> On Mon, 29.10.12 20:17, Kok, Auke-jan H (auke-jan.h.kok at intel.com)
> wrote:
> 
> > > I also merged the three items in the man page into one, so that
> > > people are hopefully less annoyed about "OMG i am not running my
> > > stuff with SMACK OMG why is all this stuff in my systemd OMG
> systemd
> > > is bloated OMG". After all people only complain about stuff that
> > > appears big even if it is rather trivial in code.
> >
> > Did you copy the section of the commit message here that states that
> > this doesn't add any libraries and just uses fsetxattr()? This may
> > help to deter those thoughts... ;^)
> 
> I left the commit message intact.
> 
> > > hack that up for SMACK? is there a nice way to detect whether SMACK
> > > is in the kernel and enabled?
> >
> > yes, you can detect it by reading /proc/filesystems and checking for
> > "smackfs", and if mounted, that it's enabled.
> 
> Hmm, I think it's a good idea to mount all API VFS that are around,
> regardless whether the subsystem they are used for is actually really
> enabled. Isn't there a nicer way how to detect whether a SMACK policy
> is actually loaded?

Unlike some other security systems, Smack does not do Bad Things
when there is no "policy" loaded. The out-of-the-box behavior, with
no configuration, actually is rational in some situations.

> 
> > bootchart first though, grrr ;^)
> 
> Haven*t forgotten that, will look into it soon. Promised!
> 
> Lennart
> 
> --
> Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list