[systemd-devel] [PATCH] journald: add CAP_MAC_OVERRIDE in journald for SMACK issue
juho son
juho80.son at samsung.com
Wed Sep 10 23:54:50 PDT 2014
On 04/09/14 01:58, Lennart Poettering wrote:
> On Wed, 03.09.14 22:16, Juho Son (juho80.son at samsung.com) wrote:
>
>> systemd-journald check the cgroup id to support rate limit option for
>> every messages. so journald should be available to access cgroup node in
>> each process send messages to journald.
>> In system using SMACK, cgroup node in proc is assigned execute label
>> as each process's execute label.
>> so if journald don't want to denied for every process, journald
>> should have all of access rule for all process's label.
>> It's too heavy. so we could give special smack label for journald te get
>> all accesses's permission.
>> '^' label.
>> When assign '^' execute smack label to systemd-journald,
>> systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack privilege.
>>
>> so I want to notice this information and set default capability to
>> journald whether system use SMACK or not.
>
> I have no idea about SMACK, hence I cannot really review the
> patch. But if I get this right, then only SMACK makes use of
> CAP_MAC_OVERRIDE, hence by adding the bit to journald we don't affect
> anything but smack behaviour, right?
yes, CAP_MAC_OVERRIDE bit could affects only in smack enabled kernel.
when journald has that cap, journald could get the privilege of smack.
journald should get the all of logs in system based on systemd.
>
> If that's the case then I am happy to apply the patch...
>
>>
>> Change-Id: I52e47d6f9b631f365799bb51a66404cf3f1da12b
>> Signed-off-by: Juho Son <juho80.son at samsung.com>
>
> We don't use S-O-b on systemd...
I will send again follow.
>
>> ---
>> units/systemd-journald.service.in | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
>> index 7013979..4de38fa 100644
>> --- a/units/systemd-journald.service.in
>> +++ b/units/systemd-journald.service.in
>> @@ -20,7 +20,7 @@ Restart=always
>> RestartSec=0
>> NotifyAccess=all
>> StandardOutput=null
>> -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
>> +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
>> WatchdogSec=1min
>>
>> # Increase the default a bit in order to allow many simultaneous
>> --
>> 1.9.1
>>
>> _______________________________________________
>> systemd-devel mailing list
>> systemd-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
>
> Lennart
>
More information about the systemd-devel
mailing list