[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
Lennart Poettering
lennart at poettering.net
Mon Oct 28 16:58:52 CET 2013
On Mon, 28.10.13 19:44, WaLyong Cho (walyong.cho at samsung.com) wrote:
> At the same reason of /run and /dev/shm, when systemd is running with
> SMACK, countless tasks are failed by missed privilege.
> To avoid, /tmp is assigned '*' label.
Won't this break if people compile systemd with SMACK enabled but
run a kernel that has it disabled?
We had a similar problem for the other mounts like /run, where we found
a somewhat nice solution, but I am not sure how we can make the same
work here...
Lennart
> ---
> Makefile.am | 10 ++++++----
> configure.ac | 4 +++-
> units/tmp.mount | 20 --------------------
> units/tmp.mount.m4 | 22 ++++++++++++++++++++++
> 4 files changed, 31 insertions(+), 25 deletions(-)
> delete mode 100644 units/tmp.mount
> create mode 100644 units/tmp.mount.m4
>
> diff --git a/Makefile.am b/Makefile.am
> index 4a96a50..6c977e8 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -399,7 +399,6 @@ dist_systemunit_DATA = \
> units/sys-kernel-config.mount \
> units/sys-kernel-debug.mount \
> units/sys-fs-fuse-connections.mount \
> - units/tmp.mount \
> units/printer.target \
> units/sound.target \
> units/bluetooth.target \
> @@ -444,7 +443,8 @@ nodist_systemunit_DATA = \
> units/initrd-cleanup.service \
> units/initrd-udevadm-cleanup-db.service \
> units/initrd-switch-root.service \
> - units/systemd-nspawn at .service
> + units/systemd-nspawn at .service \
> + units/tmp.mount
>
> dist_userunit_DATA = \
> units/user/default.target \
> @@ -488,12 +488,14 @@ EXTRA_DIST += \
> units/initrd-cleanup.service.in \
> units/initrd-udevadm-cleanup-db.service.in \
> units/initrd-switch-root.service.in \
> - units/systemd-nspawn at .service.in
> + units/systemd-nspawn at .service.in \
> + units/tmp.mount.m4
>
> CLEANFILES += \
> units/console-shell.service.m4 \
> units/console-getty.service.m4 \
> - units/rescue.service.m4
> + units/rescue.service.m4 \
> + units/tmp.mount.m4
>
> if HAVE_SYSV_COMPAT
> nodist_systemunit_DATA += \
> diff --git a/configure.ac b/configure.ac
> index 7e41d57..65268e8 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -503,6 +503,8 @@ AC_SUBST(XATTR_LIBS)
> AM_CONDITIONAL([HAVE_XATTR], [test "x$have_xattr" != xno])
>
> # ------------------------------------------------------------------------------
> +M4_DEFINES=
> +
> AC_ARG_ENABLE([smack], AS_HELP_STRING([--disable-smack],[Disable optional SMACK support]),
> [case "${enableval}" in
> yes) have_smack=yes ;;
> @@ -531,6 +533,7 @@ AS_HELP_STRING([--with-smack-run-label=STRING],
>
> if test "x${have_smack}" = xyes ; then
> AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available])
> + M4_DEFINES="$M4_DEFINES -DHAVE_SMACK"
> fi
>
> # ------------------------------------------------------------------------------
> @@ -891,7 +894,6 @@ AM_CONDITIONAL(ENABLE_MANPAGES, [test "x$have_manpages" = "xyes"])
> # Location of the init scripts as mandated by LSB
> SYSTEM_SYSVINIT_PATH=/etc/init.d
> SYSTEM_SYSVRCND_PATH=/etc/rc.d
> -M4_DEFINES=
>
> AC_ARG_WITH([sysvinit-path],
> [AS_HELP_STRING([--with-sysvinit-path=PATH],
> diff --git a/units/tmp.mount b/units/tmp.mount
> deleted file mode 100644
> index 99a3ba3..0000000
> --- a/units/tmp.mount
> +++ /dev/null
> @@ -1,20 +0,0 @@
> -# This file is part of systemd.
> -#
> -# systemd is free software; you can redistribute it and/or modify it
> -# under the terms of the GNU Lesser General Public License as published by
> -# the Free Software Foundation; either version 2.1 of the License, or
> -# (at your option) any later version.
> -
> -[Unit]
> -Description=Temporary Directory
> -Documentation=man:hier(7)
> -Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
> -DefaultDependencies=no
> -Conflicts=umount.target
> -Before=local-fs.target umount.target
> -
> -[Mount]
> -What=tmpfs
> -Where=/tmp
> -Type=tmpfs
> -Options=mode=1777,strictatime
> diff --git a/units/tmp.mount.m4 b/units/tmp.mount.m4
> new file mode 100644
> index 0000000..46c7fcd
> --- /dev/null
> +++ b/units/tmp.mount.m4
> @@ -0,0 +1,22 @@
> +# This file is part of systemd.
> +#
> +# systemd is free software; you can redistribute it and/or modify it
> +# under the terms of the GNU Lesser General Public License as published by
> +# the Free Software Foundation; either version 2.1 of the License, or
> +# (at your option) any later version.
> +
> +[Unit]
> +Description=Temporary Directory
> +Documentation=man:hier(7)
> +Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
> +DefaultDependencies=no
> +Conflicts=umount.target
> +Before=local-fs.target umount.target
> +
> +[Mount]
> +What=tmpfs
> +Where=/tmp
> +Type=tmpfs
> +m4_ifdef(`HAVE_SMACK',
> +`Options=mode=1777,strictatime,smackfsroot=*',
> +`Options=mode=1777,strictatime')
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list