[systemd-devel] [PATCH] SMACK: Add configuration options. (v3)

Schaufler, Casey casey.schaufler at intel.com
Tue Oct 30 16:04:33 PDT 2012


> -----Original Message-----
> From: Lennart Poettering [mailto:lennart at poettering.net]
> Sent: Tuesday, October 30, 2012 3:50 PM
> To: Kok, Auke-jan H
> Cc: Schaufler, Casey; systemd-devel at lists.freedesktop.org
> Subject: Re: [PATCH] SMACK: Add configuration options. (v3)
> 
> On Tue, 30.10.12 15:44, Kok, Auke-jan H (auke-jan.h.kok at intel.com)
> wrote:
> 
> >
> > On Tue, Oct 30, 2012 at 2:56 PM, Lennart Poettering
> > <lennart at poettering.net> wrote:
> > > On Mon, 29.10.12 20:17, Kok, Auke-jan H (auke-jan.h.kok at intel.com)
> wrote:
> > >> yes, you can detect it by reading /proc/filesystems and checking
> > >> for "smackfs", and if mounted, that it's enabled.
> > >
> > > Hmm, I think it's a good idea to mount all API VFS that are around,
> > > regardless whether the subsystem they are used for is actually
> > > really enabled. Isn't there a nicer way how to detect whether a
> > > SMACK policy is actually loaded?
> >
> > I started looking at it this morning during a meeting and this looks
> > easy enough to enable early on, and well worth doing. It's taking the
> > code from smackctl (which is LGPLv2... so, should be totally fine)
> and
> > dropping it in just like setup-ima|selinux.
> >
> > There is no "master ON" switch in SMACK (it is always on if compiled
> > enabled). But you can check if "/smack/load" contains data. If there
> > are 0 bytes in it, no rules were loaded. fopen()+feof() should
> > suffice, I think.
> 
> feof() is only set after you tried to read at least once. But read(fd,
> &x, 1) > 0 should do the job.
> 
> SMACK uses a top-level dir as mount point for its fs?

Yup. That was the convention at the time Smack was introduced.

> That should
> really be fixed. We moved all the other file systems (selinux, cgroups,
> ...) below /sys,

No one said boo about Smack at the time.

> and SMACK has no excuse to pollute the root fs for
> this.

Sure Smack does. But that's neither here nor there.

> Follow the SELinux scheme please and introduce /sys/fs/smack, and use
> that as default mount point.

I have been advocating standardization of LSM interfaces
for some time. The apparmor folks put theirs at
/sys/kernel/security/apparmor. I would hardly say that
/sys/fs/smack would be better than /sys/kernel/security/smack.
I plan to move it when there's a consensus of where LSM
filesystems should go, or when there's a compelling reason
to go someplace in particular. I'm afraid that "SELinux does
in this way" is not an argument *by itself* that goes very
far with the Smack project. 


> 
> Lennart
> 
> --
> Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list