[systemd-devel] [PATCH 1/2] Mount /run, /dev/shm usable to tasks when using SMACK.

Tue Oct 1 16:40:18 PDT 2013

On Tue, 01.10.13 16:11, Auke Kok (auke-jan.h.kok at intel.com) wrote:

> Once system itself is running in a security domain for SMACK,
> it will fail to start countless tasks due to missing privileges
> for mounted and created directory structures. For /run and shm
> specifically, we grant all tasks access.

Hmm, I am not convinced this patch is really desirable. So far we tried
to make sure that a systemd that is compiled with selinux/smack/ima
support works on kernels that lack it and vice versa. However, if I am
not mistaken this patch will break this, as you set MNT_FATAL for the
mounts but unconditionally add smackfsroot=* to the mount options --
which if I am not mistaken will cause the mount to fail on kernels that
lack SMACK, right?

Something that might work is simply dropping the MNT_FATAL from the
HAVE_SMACK lines. That way, it will be attempted to mount things with
the specified parameters, and if that fails it will be retried
immediately with the following line that lacks the smackfsdef= param?
The mounting code is smart enough to detect if /run is mounted and will
not actually try to mount things twice if something is found to be
mounted there already...

> ---
>  src/core/mount-setup.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
> index 4359f59..310afbd 100644
> --- a/src/core/mount-setup.c
> +++ b/src/core/mount-setup.c
> @@ -79,10 +79,18 @@ static const MountPoint mount_table[] = {
>            NULL,       MNT_NONE },
>          { "smackfs",    "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
>            NULL,       MNT_NONE },
> +#ifdef HAVE_SMACK
> +        { "tmpfs",      "/dev/shm",                  "tmpfs",      "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
> +          NULL,       MNT_FATAL|MNT_IN_CONTAINER },
> +#endif
>          { "tmpfs",      "/dev/shm",                  "tmpfs",      "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
>            NULL,       MNT_FATAL|MNT_IN_CONTAINER },
>          { "devpts",     "/dev/pts",                  "devpts",     "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
>            NULL,       MNT_IN_CONTAINER },
> +#ifdef HAVE_SMACK
> +        { "tmpfs",      "/run",                      "tmpfs",      "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
> +          NULL,       MNT_FATAL|MNT_IN_CONTAINER },
> +#endif
>          { "tmpfs",      "/run",                      "tmpfs",      "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
>            NULL,       MNT_FATAL|MNT_IN_CONTAINER },
>          { "tmpfs",      "/sys/fs/cgroup",            "tmpfs",      "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,

Lennart

-- 
Lennart Poettering - Red Hat, Inc.