[systemd-devel] [RFC] Mounting $XGD_RUNTIME_DIR with units instead of logind code.

[Maciej Wereski]

Hello,

Lately I've been working on updating systemd (currently 208) in Tizen. One
of problems we've stumbled upon was with user at .service failing. Problem
was on SMACK-enabled system, caused by 1c231f5 (logind: make
$XDG_RUNTIME_DIR a per-user tmpfs).

When $XDG_RUNTIME_DIR is mounted it inherits logind label, which in turn
forbid users to access theirs directories.

One solution would be to add "if (use_smack())
mount(..."smackfsroot=*"...)" in logind-user.c,
but it would also require to add CAP_MAC_ADMIN to systemd-logind.service.

Another solution would be to remove mounting logic from logind-user.c
completely and add run-user at .mount. user at .service would gain following
lines:
Requires=run-user@%I.mount
After=run-user@%I.mount

Unfortunately, currently it's not possible.
First problem is that unit isn't named after path, so that requirement
needs to be removed first.
Second - we don't have gid, but it doesn't seem to be an issue, as mode is
set to 0700.

Then, in Tizen we could just add "smackfsroot" to options. Alternatively
SmackLabel= option could be added for mount units, which would
automatically append "smackfsroot" to options, when SMACK is enabled.

How should we solve this issue?

regards,
-- 
Maciej Wereski
Samsung R&D Institute Poland
Samsung Electronics
m.wereski at partner.samsung.com