[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
Kok, Auke-jan H
auke-jan.h.kok at intel.com
Fri Nov 1 09:19:27 PDT 2013
On Fri, Nov 1, 2013 at 12:57 AM, Karel Zak <kzak at redhat.com> wrote:
> On Thu, Oct 31, 2013 at 01:20:18PM -0700, Kok, Auke-jan H wrote:
>> > BTW, for SELinux we remove selinux specific mount options in
>> > userspace (in mount(8)) if the kernel does not support selinux.
>> >
>> > It help us to make command line or fstab setting independent on the
>> > current kernel features.
>> >
>> > Maybe we can use the same for SMACK, is there any way how to
>> > determine that the system uses SMACK? (/proc/<something> or so...).
>> > -- for selinux we check for /sys/fs/selinux or /selinux.
>>
>> Ohh yes that would be so nice.
>>
>> You've got your choice for detecting smack, but I like
>> stat(/sys/fs/smackfs) == 0 the best so far. You can parse
>> /proc/filesystems for smackfs too, but that's obviously more complex.
>> This method works with 3.9 and above, as that's when we made sysfs
>> hold the mount point for smackfs.
>>
>> I assume we're talking about this code here:
>>
>> https://github.com/karelzak/util-linux/blob/master/libmount/src/context_mount.c#L181
>
> Yes, the "se_rem" code (with SELinux is it tricky, because old
> kernels don't support selinux options remount, options duplication is
> problem etc.. I guess that for SMACK it will be less complex :-).
>
> Do you have somewhere list of the smack mount options? I'll prepare
> the patch.
Yes, the authoritative documentation is the code:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/smack/smack.h#n143
/*
* Mount options
*/
#define SMK_FSDEFAULT "smackfsdef="
#define SMK_FSFLOOR "smackfsfloor="
#define SMK_FSHAT "smackfshat="
#define SMK_FSROOT "smackfsroot="
#define SMK_FSTRANS "smackfstransmute="
> BTW, the options should be also documented in mount.8 man page :-)
nod
Thanks,
Auke
More information about the systemd-devel
mailing list