[systemd-devel] Supervisory Watchdog notification not working when using SmackProcessLabel

Casey Schaufler casey at schaufler-ca.com
Wed Aug 1 16:32:27 UTC 2018 

On 8/1/2018 3:18 AM, Martin Townsend wrote:
> Hi,
>
> I have a service running with a SmackProcessLabel that uses the
> supervisory watchdog feature, ie calls sd_notify().  The Watchdog
> keeps resetting the service and I get the following in the journal
>
> Jul 27 11:36:11 kernel: audit: type=1400 audit(1532691371.270:34):
> lsm=SMACK fn=smack_unix_may_send action=denied subject="apphealthd"
> object="_" requested=w pid=466 comm="apphealthd"
> path="/run/systemd/notify"
>
> /run/systemd/notify is a socket so I'm guessing sd_notify kicks the
> watchdog by writing to this socket.  The problem seems to be that the
> socket is labelled with the floor label.

What does "attr -S -g SMACK64 /run/systemd/notify" report?
It should say that the attribute value is "*". If it doesn't,
what kernel and systemd versions are you running? What is your
base system? (Tizen, Fedora, ...)

UDS socket access controls are done based on the processes
involved, not the file system object. Do you have any services
running with the floor ("_") label?


> After looking through the code that sets up the notify socket I
> quickly patched in some code to set SMACK64IPIN and IPOUT (not sure if
> this one is required).
>
> @@ -728,7 +729,12 @@ static int manager_setup_notify(Manager *m) {
>
>                  m->notify_fd = fd;
>                  fd = -1;
> -
> +                r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPIN, "*");
> +                if (r < 0)
> +                        log_error_errno(r, "mac_smack_apply_ip_in_fd: %m");
> +                r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPOUT, "@");
> +                if (r < 0)
> +                        log_error_errno(r, "mac_smack_apply_ip_out_fd: %m");
>                  log_debug("Using notification socket %s", m->notify_socket);
>          }
>
> And the audit message has gone.

Your code above is the best way to ensure your service can
talk to everyone. You have to be sure talking to everyone is
really what you want to do.

> Is there a better way of ensuring /run/systemd/notify can be accessed
> by a service with a User defined SMACK label? or is this patch to
> manager_setup_notify sufficient?

You can always add access rules to allow communications.
In this case it would be

	apphealthd _ w
	_ apphealthd w

Generally you don't want to add rules for the floor ("_")
label, but that's where you're seeing an issue. If you compile
with SECURITY_SMACK_BRINGUP and use

	apphealthd _ wb
	_ apphealthd wb

accesses permitted by these rules will be logged so that you
can track down who you're talking to. 

>
> Many Thanks in Advance,
> Martin.
>

More information about the systemd-devel mailing list