[systemd-devel] [PATCH] SMACK: Add configuration options. (v3)

Kok, Auke-jan H auke-jan.h.kok at intel.com
Tue Oct 30 15:44:48 PDT 2012


On Tue, Oct 30, 2012 at 2:56 PM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Mon, 29.10.12 20:17, Kok, Auke-jan H (auke-jan.h.kok at intel.com) wrote:
>> yes, you can detect it by reading /proc/filesystems and checking for
>> "smackfs", and
>> if mounted, that it's enabled.
>
> Hmm, I think it's a good idea to mount all API VFS that are around,
> regardless whether the subsystem they are used for is actually really
> enabled. Isn't there a nicer way how to detect whether a SMACK policy is
> actually loaded?

I started looking at it this morning during a meeting and this looks
easy enough to enable early on, and well worth doing. It's taking the
code from smackctl (which is LGPLv2... so, should be totally fine) and
dropping it in just like setup-ima|selinux.

There is no "master ON" switch in SMACK (it is always on if compiled
enabled). But you can check if "/smack/load" contains data. If there
are 0 bytes in it, no rules were loaded. fopen()+feof() should
suffice, I think.

>> bootchart first though, grrr ;^)
>
> Haven*t forgotten that, will look into it soon. Promised!

Not something you need to do - I need to implement the proverbial
"bootchart=<boolean>" in /etc/systemd/system.conf and finish up the
initial patch, which is something I think we should really add before
we merge the code. Plus finish man pages, fix the doc references etc..
In general, make it look better. Probably convert it to systemd coding
style, as it's using tabs right now.

I just need to find some time. If only had a vacation coming soon.... ;^)

Auke


More information about the systemd-devel mailing list