[systemd-devel] restart vs. stop/start

Mantas Mikulėnas grawity at gmail.com
Sun May 22 19:06:43 UTC 2016 

On Sun, May 22, 2016 at 10:03 PM, Christian Boltz <systemd-devel at cboltz.de>
wrote:

> Hello,
>
> Am Sonntag, 22. Mai 2016, 20:24:53 CEST schrieb Martin Pitt:
> > Christian Boltz [2016-05-22 16:18 +0200]:
> > > "start" means loading the profiles and applying the confinement to
> > > _newly started_ profiles.
> > >
> > > This also means that _already running_ processes won't be
> > > (re)confined [1], which translates a small typo done by the admin
> > > ("systemctl restart apparmor" instead of "systemctl reload
> > > apparmor") to leaving lots of processes unconfined and turns that
> > > accidential use of "restart" into a security risk.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> > > This is why I need to override the "restart" behaviour so that it
> > > reloads the profiles while keeping running processes confined.
> > >
> > > The easiest solution would be an ExecRestart= directive in the
> > > service file, but unfortunately this isn't available.
> >
> > But ExecReload= is available, isn't that enough?
>
> Not really.
>
> I'm already using ExecReload= to reload the profiles (works fine), and
> hope all users actually read the documentation and use reload (and avoid
> restart).
>
> Please read the paragraph above the ^^^ marker again.
> The problem is what happens when someone accidently uses restart.
>
> TL;DR: the stop/start restart behaviour removes confinement from running
> processes, thus making the system less secure/protected.
>
> So to make things secure and DAU-proof [1], I need one of
> - ExecRestart= (that would be the best option)
> - a way that prevents usage of restart (is there any?) or
> - ExecStop=echo "systemd broke this" (worst option)
>
>
> May I ask the other way round?
>
> systemd already has lots of directives to cover corner cases, so why do
> several people reject the idea that it should be possible to override
> the default restart behaviour?
>

RefuseManualStop=true

-- 
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20160522/daa996db/attachment.html>

More information about the systemd-devel mailing list