[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
Karel Zak
kzak at redhat.com
Thu Oct 31 10:40:08 CET 2013
On Tue, Oct 29, 2013 at 01:27:07PM +0100, Lennart Poettering wrote:
> On Tue, 29.10.13 16:02, WaLyong Cho (walyong.cho at samsung.com) wrote:
>
> > >> Hmm, here's an idea: there has been a long standig feature request to
> > >> add a configurable boolean to mount unit files that controls
> > >> /bin/mount's "-s" switch. Let's say we call it
> > >> "SloppyOptions=yes/no", or so. Then, we could set this for this unit
> > >> file and apply the rest of the patch and things should work, and where
> > >> they don't we can easily reassign to the kernel to respect the "-s" flag
> > >> properly.
> > >>
> > >> Doing a patch that allows "-s" to be controlled should be fairly easy,
> > >> would be happy to merge a patch for that!
> > > ahhh I hadn't even seen -s in /bin/mount yet, so I can see this
> > > helping out a lot.
> > >
> > > I'd be okay with a solution like that, it would certainly simplify
> > > things a lot, but we need to be careful not to overload mount options
> > > with all sorts of nonstandard options - it will make problems harder
> > > to debug and for some of these security enabled systems we will most
> > > likely want to actually _not_ use -s. After all, we want to make sure
> > > we're actually booting with properly setup Smack options e.g. a typo
> > > in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate).
> > >
> > > Auke
> > >
> > I am not sure we can use the -s option. First I tried that in my fedora
> > machine.
> >
> > # mount -t tmpfs -s -o mode=1777,strictatime,smackfsroot=* tmpfs /test
> > mount: wrong fs type, bad option, bad superblock on tmpfs,
> > missing codepage or helper program, or other error
> >
> > In some cases useful info is found in syslog - try
> > dmesg | tail or so.
> >
> > # dmesg
> > [ 752.222803] tmpfs: Bad mount option smackfsroot
>
> Hmm, it appears that libmount/util-linux actually appears to ignore the
> sloppy mount option entirely. Adding kzak to CC. Karel, what's going on
> here? Does "-s" have any use at all?
The -s is supported by mount.nfs only. It has never been implemented
for anything else. There is no kernel mount flag for this option.
> Can we make it work for us?
Add MS_SLOPPY to kernel :-)
Karel
--
Karel Zak <kzak at redhat.com>
http://karelzak.blogspot.com
More information about the systemd-devel
mailing list