[systemd-devel] [PATCH] journald: add CAP_MAC_OVERRIDE in journald for SMACK issue

Lennart Poettering lennart at poettering.net
Wed Sep 3 09:58:51 PDT 2014


On Wed, 03.09.14 22:16, Juho Son (juho80.son at samsung.com) wrote:

> systemd-journald check the cgroup id to support rate limit option for
> every messages. so journald should be available to access cgroup node in
> each process send messages to journald.
> In system using SMACK, cgroup node in proc is assigned execute label
> as each process's execute label.
> so if journald don't want to denied for every process, journald
> should have all of access rule for all process's label.
> It's too heavy. so we could give special smack label for journald te get
> all accesses's permission.
> '^' label.
> When assign '^' execute smack label to systemd-journald,
> systemd-journald need to add  CAP_MAC_OVERRIDE capability to get that smack privilege.
> 
> so I want to notice this information and set default capability to
> journald whether system use SMACK or not.

I have no idea about SMACK, hence I cannot really review the
patch. But if I get this right, then only SMACK makes use of
CAP_MAC_OVERRIDE, hence by adding the bit to journald we don't affect
anything but smack behaviour, right?

If that's the case then I am happy to apply the patch...

> 
> Change-Id: I52e47d6f9b631f365799bb51a66404cf3f1da12b
> Signed-off-by: Juho Son <juho80.son at samsung.com>

We don't use S-O-b on systemd...

> ---
>  units/systemd-journald.service.in | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
> index 7013979..4de38fa 100644
> --- a/units/systemd-journald.service.in
> +++ b/units/systemd-journald.service.in
> @@ -20,7 +20,7 @@ Restart=always
>  RestartSec=0
>  NotifyAccess=all
>  StandardOutput=null
> -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
> +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
>  WatchdogSec=1min
>  
>  # Increase the default a bit in order to allow many simultaneous
> -- 
> 1.9.1
> 
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel


Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list