[systemd-devel] [PATCH] condition, man: Add support for ConditionSecurity=smack

Karol Lewandowski k.lewandowsk at samsung.com
Tue May 7 05:29:48 PDT 2013 

On 05/07/2013 01:32 PM, Lennart Poettering wrote:
> On Tue, 07.05.13 13:21, Karol Lewandowski (k.lewandowsk at samsung.com) wrote:
> 
> Heya,
> 
> Hmm, does that directory always exist? Or only if AppArmor is actually
> runtime enabled?

/sys/fs/smackfs is only registered when smack lsm is actually enabled:

  https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/smack/smackfs.c?id=e93072374112db9dc86635934ee761249be28370#n2179

> I.e. this check should ideally only return true if SMACK is not only
> built into the kernel, but actually really enabled during
> runtime. That's what the SELinux check does and what the most useful
> semantics are.

Ok, I see that libselinux will consider selinux to be disabled also when
policy is not loaded:

  http://userspace.selinuxproject.org/trac/browser/libselinux/src/enabled.c#L12

I guess we could do something similar (inspect /proc/self/attr/current)
but honestly, I don't think it's really needed.  Rafał, could you correct me
if I'm wrong?

Cheers

> 
>> Signed-off-by: Karol Lewandowski <k.lewandowsk at samsung.com>
>>
>> diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
>> index 49103da..256c813 100644
>> --- a/man/systemd.unit.xml
>> +++ b/man/systemd.unit.xml
>> @@ -984,8 +984,9 @@
>>                                  may be used to check whether the given
>>                                  security module is enabled on the
>>                                  system.  Currently the only recognized
>> -                                values are <varname>selinux</varname>
>> -                                and <varname>apparmor</varname>.
>> +                                values are <varname>selinux</varname>,
>> +                                <varname>apparmor</varname> and
>> +                                <varname>smack</varname>.
>>                                  The test may be negated by prepending
>>                                  an exclamation
>>                                  mark.</para>
>> diff --git a/src/core/condition.c b/src/core/condition.c
>> index 4aa5530..16cae6d 100644
>> --- a/src/core/condition.c
>> +++ b/src/core/condition.c
>> @@ -164,6 +164,8 @@ static bool test_security(const char *parameter) {
>>  #endif
>>  	if (streq(parameter, "apparmor"))
>>  		return access("/sys/kernel/security/apparmor/", F_OK) == 0;
>> +	if (streq(parameter, "smack"))
>> +		return access("/sys/fs/smackfs", F_OK) == 0;
>>          return false;
>>  }
>>  
> 
> 
> Lennart
>

More information about the systemd-devel mailing list