[systemd-devel] [PATCH] journald: add CAP_MAC_OVERRIDE in journald for SMACK issue
Lennart Poettering
lennart at poettering.net
Wed Sep 3 09:58:51 PDT 2014
On Wed, 03.09.14 22:16, Juho Son (juho80.son at samsung.com) wrote:
> systemd-journald check the cgroup id to support rate limit option for
> every messages. so journald should be available to access cgroup node in
> each process send messages to journald.
> In system using SMACK, cgroup node in proc is assigned execute label
> as each process's execute label.
> so if journald don't want to denied for every process, journald
> should have all of access rule for all process's label.
> It's too heavy. so we could give special smack label for journald te get
> all accesses's permission.
> '^' label.
> When assign '^' execute smack label to systemd-journald,
> systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack privilege.
>
> so I want to notice this information and set default capability to
> journald whether system use SMACK or not.
I have no idea about SMACK, hence I cannot really review the
patch. But if I get this right, then only SMACK makes use of
CAP_MAC_OVERRIDE, hence by adding the bit to journald we don't affect
anything but smack behaviour, right?
If that's the case then I am happy to apply the patch...
>
> Change-Id: I52e47d6f9b631f365799bb51a66404cf3f1da12b
> Signed-off-by: Juho Son <juho80.son at samsung.com>
We don't use S-O-b on systemd...
> ---
> units/systemd-journald.service.in | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
> index 7013979..4de38fa 100644
> --- a/units/systemd-journald.service.in
> +++ b/units/systemd-journald.service.in
> @@ -20,7 +20,7 @@ Restart=always
> RestartSec=0
> NotifyAccess=all
> StandardOutput=null
> -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
> +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
> WatchdogSec=1min
>
> # Increase the default a bit in order to allow many simultaneous
> --
> 1.9.1
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list