[systemd-devel] [RFC] Mounting $XGD_RUNTIME_DIR with units instead of logind code.
Maciej Wereski
m.wereski at partner.samsung.com
Wed Oct 8 05:44:18 PDT 2014
Hello,
Lately I've been working on updating systemd (currently 208) in Tizen. One
of problems we've stumbled upon was with user at .service failing. Problem
was on SMACK-enabled system, caused by 1c231f5 (logind: make
$XDG_RUNTIME_DIR a per-user tmpfs).
When $XDG_RUNTIME_DIR is mounted it inherits logind label, which in turn
forbid users to access theirs directories.
One solution would be to add "if (use_smack())
mount(..."smackfsroot=*"...)" in logind-user.c,
but it would also require to add CAP_MAC_ADMIN to systemd-logind.service.
Another solution would be to remove mounting logic from logind-user.c
completely and add run-user at .mount. user at .service would gain following
lines:
Requires=run-user@%I.mount
After=run-user@%I.mount
Unfortunately, currently it's not possible.
First problem is that unit isn't named after path, so that requirement
needs to be removed first.
Second - we don't have gid, but it doesn't seem to be an issue, as mode is
set to 0700.
Then, in Tizen we could just add "smackfsroot" to options. Alternatively
SmackLabel= option could be added for mount units, which would
automatically append "smackfsroot" to options, when SMACK is enabled.
How should we solve this issue?
regards,
--
Maciej Wereski
Samsung R&D Institute Poland
Samsung Electronics
m.wereski at partner.samsung.com
More information about the systemd-devel
mailing list