[systemd-devel] [PATCH] SMACK: Add configuration options. (v3)

Lennart Poettering lennart at poettering.net
Tue Oct 30 15:49:49 PDT 2012


On Tue, 30.10.12 15:44, Kok, Auke-jan H (auke-jan.h.kok at intel.com) wrote:

> 
> On Tue, Oct 30, 2012 at 2:56 PM, Lennart Poettering
> <lennart at poettering.net> wrote:
> > On Mon, 29.10.12 20:17, Kok, Auke-jan H (auke-jan.h.kok at intel.com) wrote:
> >> yes, you can detect it by reading /proc/filesystems and checking for
> >> "smackfs", and
> >> if mounted, that it's enabled.
> >
> > Hmm, I think it's a good idea to mount all API VFS that are around,
> > regardless whether the subsystem they are used for is actually really
> > enabled. Isn't there a nicer way how to detect whether a SMACK policy is
> > actually loaded?
> 
> I started looking at it this morning during a meeting and this looks
> easy enough to enable early on, and well worth doing. It's taking the
> code from smackctl (which is LGPLv2... so, should be totally fine) and
> dropping it in just like setup-ima|selinux.
> 
> There is no "master ON" switch in SMACK (it is always on if compiled
> enabled). But you can check if "/smack/load" contains data. If there
> are 0 bytes in it, no rules were loaded. fopen()+feof() should
> suffice, I think.

feof() is only set after you tried to read at least once. But read(fd,
&x, 1) > 0 should do the job.

SMACK uses a top-level dir as mount point for its fs? That should really
be fixed. We moved all the other file systems (selinux, cgroups, ...)
below /sys, and SMACK has no excuse to pollute the root fs for this.

Follow the SELinux scheme please and introduce /sys/fs/smack, and use
that as default mount point.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list