[systemd-devel] Patch for Smack labelling support in udev

Reshetova, Elena elena.reshetova at intel.com
Wed Jul 3 04:04:12 PDT 2013


-----Original Message-----
From: Kay Sievers [mailto:kay at vrfy.org]
Sent: Tuesday, June 25, 2013 7:30 PM
To: Reshetova, Elena
Cc: Lennart Poettering; systemd-devel at lists.freedesktop.org; Ware, Ryan R; 
Schaufler, Casey; walyong.cho at samsung.com
Subject: Re: [systemd-devel] Patch for Smack labelling support in udev

>On Tue, Jun 25, 2013 at 5:23 PM, Reshetova, Elena <elena.reshetova at intel.com> 
>wrote:
>> Here is the draft for the changed patch. Is it along the lines you
>> were thinking about?
>> Please ignore the small details such as cosmetics and etc. now: I am
>> still planning to test it properly and cleanup, but first I want to
>> understand if I am moving towards the right way.

>Things like:
>  ..., XATTR{foo}="foo", XATTR{bar}="bar"
>would just eat the entire foo key. That is intentional? We usually have lists 
>for that, or we would not allow 2 keys ...

Hm.. Do we want to allow multiple xattr setup on the same node? I guess this 
can make sense if for example one is to setup the security label and another 
one some other attribute.
So, I guess then it has to be stored in a list. I will take a look on how it 
is done for other cases.
Could you please point to the right example on how such case is handled in 
udev (maybe from other permissions or attributes)? Some particular case that I 
should take as an example?

>The tokens in the enum are the sort order of execution, the order has 
>meaning, it's not just a list. The XATTR key belongs more to the other 
>permissions keys than to the end of the list.

Oh, ok, didn't know this (as many other things about udev :)). I will fix this 
part.

>If pairs of values that belong to each other are allocated, we better check 
>if we run into allocation problems. Udev ignores that in some places and goes 
>ahead as the value would not have been set at all. But with pairs, we should 
>not end up with inconsistent pairs which have only the name or the value set.
>The:
>  if ((xattr_name) && (xattr_label))
>should then just become:
>  if (xattr_name)
>.

OK, and then I guess I would need to check during parcing that they are both 
set correctly and unset the other one, if one is missing, right?

Best Regards,
Elena.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7220 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20130703/eabf1dfa/attachment.bin>


More information about the systemd-devel mailing list