Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Tue, Nov 12, 2013 at 03:16:17PM +0100, Karel Zak wrote: On Fri, Nov 01, 2013 at 09:19:27AM -0700, Kok, Auke-jan H wrote: On Fri, Nov 1, 2013 at 12:57 AM, Karel Zak k...@redhat.com wrote: On Thu, Oct 31, 2013 at 01:20:18PM -0700, Kok, Auke-jan H wrote: BTW, for SELinux we remove selinux specific mount options in userspace (in mount(8)) if the kernel does not support selinux. It help us to make command line or fstab setting independent on the current kernel features. Maybe we can use the same for SMACK, is there any way how to determine that the system uses SMACK? (/proc/something or so...). -- for selinux we check for /sys/fs/selinux or /selinux. Ohh yes that would be so nice. You've got your choice for detecting smack, but I like stat(/sys/fs/smackfs) == 0 the best so far. You can parse /proc/filesystems for smackfs too, but that's obviously more complex. This method works with 3.9 and above, as that's when we made sysfs hold the mount point for smackfs. I assume we're talking about this code here: https://github.com/karelzak/util-linux/blob/master/libmount/src/context_mount.c#L181 Yes, the se_rem code (with SELinux is it tricky, because old kernels don't support selinux options remount, options duplication is problem etc.. I guess that for SMACK it will be less complex :-). Do you have somewhere list of the smack mount options? I'll prepare the patch. Yes, the authoritative documentation is the code: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/smack/smack.h#n143 OK, implemented: https://github.com/karelzak/util-linux/commit/b8095d25bae0588dfce8a62169f6db5496cf45c5 Oh, there is a typo in the /sys/fs/smackfs path, fixed. Sorry. Karel -- Karel Zak k...@redhat.com http://karelzak.blogspot.com ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Nov 12, 2013 6:16 AM, Karel Zak k...@redhat.com wrote: On Fri, Nov 01, 2013 at 09:19:27AM -0700, Kok, Auke-jan H wrote: On Fri, Nov 1, 2013 at 12:57 AM, Karel Zak k...@redhat.com wrote: On Thu, Oct 31, 2013 at 01:20:18PM -0700, Kok, Auke-jan H wrote: BTW, for SELinux we remove selinux specific mount options in userspace (in mount(8)) if the kernel does not support selinux. It help us to make command line or fstab setting independent on the current kernel features. Maybe we can use the same for SMACK, is there any way how to determine that the system uses SMACK? (/proc/something or so...). -- for selinux we check for /sys/fs/selinux or /selinux. Ohh yes that would be so nice. You've got your choice for detecting smack, but I like stat(/sys/fs/smackfs) == 0 the best so far. You can parse /proc/filesystems for smackfs too, but that's obviously more complex. This method works with 3.9 and above, as that's when we made sysfs hold the mount point for smackfs. I assume we're talking about this code here: https://github.com/karelzak/util-linux/blob/master/libmount/src/context_mount.c#L181 Yes, the se_rem code (with SELinux is it tricky, because old kernels don't support selinux options remount, options duplication is problem etc.. I guess that for SMACK it will be less complex :-). Do you have somewhere list of the smack mount options? I'll prepare the patch. Yes, the authoritative documentation is the code: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/smack/smack.h#n143 OK, implemented: https://github.com/karelzak/util-linux/commit/b8095d25bae0588dfce8a62169f6db5496cf45c5 You have to compile util-linux with --with-smack. It's trivial change, so I can backport it to the next stable release v2.24.1 (at the end of this year). OK? Awesome - looks good (with the typo fix) and we'll get this tested. Thanks again! Auke ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Thu, Oct 31, 2013 at 01:20:18PM -0700, Kok, Auke-jan H wrote: BTW, for SELinux we remove selinux specific mount options in userspace (in mount(8)) if the kernel does not support selinux. It help us to make command line or fstab setting independent on the current kernel features. Maybe we can use the same for SMACK, is there any way how to determine that the system uses SMACK? (/proc/something or so...). -- for selinux we check for /sys/fs/selinux or /selinux. Ohh yes that would be so nice. You've got your choice for detecting smack, but I like stat(/sys/fs/smackfs) == 0 the best so far. You can parse /proc/filesystems for smackfs too, but that's obviously more complex. This method works with 3.9 and above, as that's when we made sysfs hold the mount point for smackfs. I assume we're talking about this code here: https://github.com/karelzak/util-linux/blob/master/libmount/src/context_mount.c#L181 Yes, the se_rem code (with SELinux is it tricky, because old kernels don't support selinux options remount, options duplication is problem etc.. I guess that for SMACK it will be less complex :-). Do you have somewhere list of the smack mount options? I'll prepare the patch. BTW, the options should be also documented in mount.8 man page :-) Karel -- Karel Zak k...@redhat.com http://karelzak.blogspot.com ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Fri, Nov 1, 2013 at 12:57 AM, Karel Zak k...@redhat.com wrote: On Thu, Oct 31, 2013 at 01:20:18PM -0700, Kok, Auke-jan H wrote: BTW, for SELinux we remove selinux specific mount options in userspace (in mount(8)) if the kernel does not support selinux. It help us to make command line or fstab setting independent on the current kernel features. Maybe we can use the same for SMACK, is there any way how to determine that the system uses SMACK? (/proc/something or so...). -- for selinux we check for /sys/fs/selinux or /selinux. Ohh yes that would be so nice. You've got your choice for detecting smack, but I like stat(/sys/fs/smackfs) == 0 the best so far. You can parse /proc/filesystems for smackfs too, but that's obviously more complex. This method works with 3.9 and above, as that's when we made sysfs hold the mount point for smackfs. I assume we're talking about this code here: https://github.com/karelzak/util-linux/blob/master/libmount/src/context_mount.c#L181 Yes, the se_rem code (with SELinux is it tricky, because old kernels don't support selinux options remount, options duplication is problem etc.. I guess that for SMACK it will be less complex :-). Do you have somewhere list of the smack mount options? I'll prepare the patch. Yes, the authoritative documentation is the code: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/smack/smack.h#n143 /* * Mount options */ #define SMK_FSDEFAULT smackfsdef= #define SMK_FSFLOOR smackfsfloor= #define SMK_FSHAT smackfshat= #define SMK_FSROOT smackfsroot= #define SMK_FSTRANS smackfstransmute= BTW, the options should be also documented in mount.8 man page :-) nod Thanks, Auke ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Tue, Oct 29, 2013 at 01:27:07PM +0100, Lennart Poettering wrote: On Tue, 29.10.13 16:02, WaLyong Cho (walyong@samsung.com) wrote: Hmm, here's an idea: there has been a long standig feature request to add a configurable boolean to mount unit files that controls /bin/mount's -s switch. Let's say we call it SloppyOptions=yes/no, or so. Then, we could set this for this unit file and apply the rest of the patch and things should work, and where they don't we can easily reassign to the kernel to respect the -s flag properly. Doing a patch that allows -s to be controlled should be fairly easy, would be happy to merge a patch for that! ahhh I hadn't even seen -s in /bin/mount yet, so I can see this helping out a lot. I'd be okay with a solution like that, it would certainly simplify things a lot, but we need to be careful not to overload mount options with all sorts of nonstandard options - it will make problems harder to debug and for some of these security enabled systems we will most likely want to actually _not_ use -s. After all, we want to make sure we're actually booting with properly setup Smack options e.g. a typo in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate). Auke I am not sure we can use the -s option. First I tried that in my fedora machine. # mount -t tmpfs -s -o mode=1777,strictatime,smackfsroot=* tmpfs /test mount: wrong fs type, bad option, bad superblock on tmpfs, missing codepage or helper program, or other error In some cases useful info is found in syslog - try dmesg | tail or so. # dmesg [ 752.222803] tmpfs: Bad mount option smackfsroot Hmm, it appears that libmount/util-linux actually appears to ignore the sloppy mount option entirely. Adding kzak to CC. Karel, what's going on here? Does -s have any use at all? The -s is supported by mount.nfs only. It has never been implemented for anything else. There is no kernel mount flag for this option. Can we make it work for us? Add MS_SLOPPY to kernel :-) Karel -- Karel Zak k...@redhat.com http://karelzak.blogspot.com ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Tue, Oct 29, 2013 at 01:27:07PM +0100, Lennart Poettering wrote: On Tue, 29.10.13 16:02, WaLyong Cho (walyong@samsung.com) wrote: Hmm, here's an idea: there has been a long standig feature request to add a configurable boolean to mount unit files that controls /bin/mount's -s switch. Let's say we call it SloppyOptions=yes/no, or so. Then, we could set this for this unit file and apply the rest of the patch and things should work, and where they don't we can easily reassign to the kernel to respect the -s flag properly. Doing a patch that allows -s to be controlled should be fairly easy, would be happy to merge a patch for that! ahhh I hadn't even seen -s in /bin/mount yet, so I can see this helping out a lot. I'd be okay with a solution like that, it would certainly simplify things a lot, but we need to be careful not to overload mount options with all sorts of nonstandard options - it will make problems harder to debug and for some of these security enabled systems we will most likely want to actually _not_ use -s. After all, we want to make sure we're actually booting with properly setup Smack options e.g. a typo in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate). Auke I am not sure we can use the -s option. First I tried that in my fedora machine. # mount -t tmpfs -s -o mode=1777,strictatime,smackfsroot=* tmpfs /test BTW, for SELinux we remove selinux specific mount options in userspace (in mount(8)) if the kernel does not support selinux. It help us to make command line or fstab setting independent on the current kernel features. Maybe we can use the same for SMACK, is there any way how to determine that the system uses SMACK? (/proc/something or so...). -- for selinux we check for /sys/fs/selinux or /selinux. It would be easer than play nasty games with -s. Karel -- Karel Zak k...@redhat.com http://karelzak.blogspot.com ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Thu, Oct 31, 2013 at 12:00 PM, Karel Zak k...@redhat.com wrote: On Tue, Oct 29, 2013 at 01:27:07PM +0100, Lennart Poettering wrote: On Tue, 29.10.13 16:02, WaLyong Cho (walyong@samsung.com) wrote: Hmm, here's an idea: there has been a long standig feature request to add a configurable boolean to mount unit files that controls /bin/mount's -s switch. Let's say we call it SloppyOptions=yes/no, or so. Then, we could set this for this unit file and apply the rest of the patch and things should work, and where they don't we can easily reassign to the kernel to respect the -s flag properly. Doing a patch that allows -s to be controlled should be fairly easy, would be happy to merge a patch for that! ahhh I hadn't even seen -s in /bin/mount yet, so I can see this helping out a lot. I'd be okay with a solution like that, it would certainly simplify things a lot, but we need to be careful not to overload mount options with all sorts of nonstandard options - it will make problems harder to debug and for some of these security enabled systems we will most likely want to actually _not_ use -s. After all, we want to make sure we're actually booting with properly setup Smack options e.g. a typo in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate). Auke I am not sure we can use the -s option. First I tried that in my fedora machine. # mount -t tmpfs -s -o mode=1777,strictatime,smackfsroot=* tmpfs /test BTW, for SELinux we remove selinux specific mount options in userspace (in mount(8)) if the kernel does not support selinux. It help us to make command line or fstab setting independent on the current kernel features. Maybe we can use the same for SMACK, is there any way how to determine that the system uses SMACK? (/proc/something or so...). -- for selinux we check for /sys/fs/selinux or /selinux. Ohh yes that would be so nice. You've got your choice for detecting smack, but I like stat(/sys/fs/smackfs) == 0 the best so far. You can parse /proc/filesystems for smackfs too, but that's obviously more complex. This method works with 3.9 and above, as that's when we made sysfs hold the mount point for smackfs. I assume we're talking about this code here: https://github.com/karelzak/util-linux/blob/master/libmount/src/context_mount.c#L181 ? Auke ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On 10/29/2013 07:48 AM, Kok, Auke-jan H wrote: On Mon, Oct 28, 2013 at 1:09 PM, Lennart Poettering lenn...@poettering.net wrote: On Mon, 28.10.13 12:59, Kok, Auke-jan H (auke-jan.h@intel.com) wrote: On Mon, Oct 28, 2013 at 8:58 AM, Lennart Poettering lenn...@poettering.net wrote: On Mon, 28.10.13 19:44, WaLyong Cho (walyong@samsung.com) wrote: At the same reason of /run and /dev/shm, when systemd is running with SMACK, countless tasks are failed by missed privilege. To avoid, /tmp is assigned '*' label. Won't this break if people compile systemd with SMACK enabled but run a kernel that has it disabled? We had a similar problem for the other mounts like /run, where we found a somewhat nice solution, but I am not sure how we can make the same work here... Our posts intersected, badly. Yes, as I said in my mail, this sadly does a bad job for those folks running with smack enabled in systemd but with it disabled in the kernel. For Tizen, we're thinking of just keeping this patch out of tree (and it will just be a one-liner). We could do a ConditionSecurity=Smack, or something like that (ottomh) but we'd get duplicate tmp mounts, which is bad due to the way we name mount units. ick. Hmm, here's an idea: there has been a long standig feature request to add a configurable boolean to mount unit files that controls /bin/mount's -s switch. Let's say we call it SloppyOptions=yes/no, or so. Then, we could set this for this unit file and apply the rest of the patch and things should work, and where they don't we can easily reassign to the kernel to respect the -s flag properly. Doing a patch that allows -s to be controlled should be fairly easy, would be happy to merge a patch for that! ahhh I hadn't even seen -s in /bin/mount yet, so I can see this helping out a lot. I'd be okay with a solution like that, it would certainly simplify things a lot, but we need to be careful not to overload mount options with all sorts of nonstandard options - it will make problems harder to debug and for some of these security enabled systems we will most likely want to actually _not_ use -s. After all, we want to make sure we're actually booting with properly setup Smack options e.g. a typo in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate). Auke I am not sure we can use the -s option. First I tried that in my fedora machine. # mount -t tmpfs -s -o mode=1777,strictatime,smackfsroot=* tmpfs /test mount: wrong fs type, bad option, bad superblock on tmpfs, missing codepage or helper program, or other error In some cases useful info is found in syslog - try dmesg | tail or so. # dmesg [ 752.222803] tmpfs: Bad mount option smackfsroot In spite of the -s option, we can still see Bad mount option smackfsroot. Was I something wrong? How about add specific options for smack? According to http://schaufler-ca.com/description_from_the_linux_source_tree Smack supports some mount options: smackfsdef=label: specifies the label to give files that lack the Smack label extended attribute. smackfsroot=label: specifies the label to assign the root of the file system if it lacks the Smack extended attribute. smackfshat=label: specifies a label that must have read access to all labels set on the filesystem. Not yet enforced. smackfsfloor=label: specifies a label to which all labels set on the filesystem must have read access. Not yet enforced. If we support 'SmackFsRoot=label' option and append the 'smackfsroot' option after checking the smack by test_security(smack), then I think we can solve most problems.(with Auke's worry) WaLyong ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Tue, 29.10.13 16:02, WaLyong Cho (walyong@samsung.com) wrote: Hmm, here's an idea: there has been a long standig feature request to add a configurable boolean to mount unit files that controls /bin/mount's -s switch. Let's say we call it SloppyOptions=yes/no, or so. Then, we could set this for this unit file and apply the rest of the patch and things should work, and where they don't we can easily reassign to the kernel to respect the -s flag properly. Doing a patch that allows -s to be controlled should be fairly easy, would be happy to merge a patch for that! ahhh I hadn't even seen -s in /bin/mount yet, so I can see this helping out a lot. I'd be okay with a solution like that, it would certainly simplify things a lot, but we need to be careful not to overload mount options with all sorts of nonstandard options - it will make problems harder to debug and for some of these security enabled systems we will most likely want to actually _not_ use -s. After all, we want to make sure we're actually booting with properly setup Smack options e.g. a typo in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate). Auke I am not sure we can use the -s option. First I tried that in my fedora machine. # mount -t tmpfs -s -o mode=1777,strictatime,smackfsroot=* tmpfs /test mount: wrong fs type, bad option, bad superblock on tmpfs, missing codepage or helper program, or other error In some cases useful info is found in syslog - try dmesg | tail or so. # dmesg [ 752.222803] tmpfs: Bad mount option smackfsroot Hmm, it appears that libmount/util-linux actually appears to ignore the sloppy mount option entirely. Adding kzak to CC. Karel, what's going on here? Does -s have any use at all? Can we make it work for us? Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Tue, Oct 29, 2013 at 12:02 AM, WaLyong Cho walyong@samsung.com wrote: How about add specific options for smack? According to http://schaufler-ca.com/description_from_the_linux_source_tree Smack supports some mount options: smackfsdef=label: specifies the label to give files that lack the Smack label extended attribute. smackfsroot=label: specifies the label to assign the root of the file system if it lacks the Smack extended attribute. smackfshat=label: specifies a label that must have read access to all labels set on the filesystem. Not yet enforced. smackfsfloor=label: specifies a label to which all labels set on the filesystem must have read access. Not yet enforced. If we support 'SmackFsRoot=label' option and append the 'smackfsroot' option after checking the smack by test_security(smack), then I think we can solve most problems.(with Auke's worry) Adding config options for optional mount options that aren't even standard sorry, that just sounds like a terrible idea. Let's see why the -s option in mount isn't working. For Tizen, I'd rather see a ConditionSecurity=!smack / ConditionSecurity=smack pair of complementary unit files since that is a method that should aready work and even cover the case where you boot with security=none or even a kernel with smack disabled. Again a solution I would not recommend carrying upstream but it solves the problem for Tizen well and would be a 20-line patch or so. Cheers, Auke ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
At the same reason of /run and /dev/shm, when systemd is running with SMACK, countless tasks are failed by missed privilege. To avoid, /tmp is assigned '*' label. --- Makefile.am| 10 ++ configure.ac |4 +++- units/tmp.mount| 20 units/tmp.mount.m4 | 22 ++ 4 files changed, 31 insertions(+), 25 deletions(-) delete mode 100644 units/tmp.mount create mode 100644 units/tmp.mount.m4 diff --git a/Makefile.am b/Makefile.am index 4a96a50..6c977e8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -399,7 +399,6 @@ dist_systemunit_DATA = \ units/sys-kernel-config.mount \ units/sys-kernel-debug.mount \ units/sys-fs-fuse-connections.mount \ - units/tmp.mount \ units/printer.target \ units/sound.target \ units/bluetooth.target \ @@ -444,7 +443,8 @@ nodist_systemunit_DATA = \ units/initrd-cleanup.service \ units/initrd-udevadm-cleanup-db.service \ units/initrd-switch-root.service \ - units/systemd-nspawn@.service + units/systemd-nspawn@.service \ + units/tmp.mount dist_userunit_DATA = \ units/user/default.target \ @@ -488,12 +488,14 @@ EXTRA_DIST += \ units/initrd-cleanup.service.in \ units/initrd-udevadm-cleanup-db.service.in \ units/initrd-switch-root.service.in \ - units/systemd-nsp...@.service.in + units/systemd-nsp...@.service.in \ + units/tmp.mount.m4 CLEANFILES += \ units/console-shell.service.m4 \ units/console-getty.service.m4 \ - units/rescue.service.m4 + units/rescue.service.m4 \ + units/tmp.mount.m4 if HAVE_SYSV_COMPAT nodist_systemunit_DATA += \ diff --git a/configure.ac b/configure.ac index 7e41d57..65268e8 100644 --- a/configure.ac +++ b/configure.ac @@ -503,6 +503,8 @@ AC_SUBST(XATTR_LIBS) AM_CONDITIONAL([HAVE_XATTR], [test x$have_xattr != xno]) # -- +M4_DEFINES= + AC_ARG_ENABLE([smack], AS_HELP_STRING([--disable-smack],[Disable optional SMACK support]), [case ${enableval} in yes) have_smack=yes ;; @@ -531,6 +533,7 @@ AS_HELP_STRING([--with-smack-run-label=STRING], if test x${have_smack} = xyes ; then AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available]) +M4_DEFINES=$M4_DEFINES -DHAVE_SMACK fi # -- @@ -891,7 +894,6 @@ AM_CONDITIONAL(ENABLE_MANPAGES, [test x$have_manpages = xyes]) # Location of the init scripts as mandated by LSB SYSTEM_SYSVINIT_PATH=/etc/init.d SYSTEM_SYSVRCND_PATH=/etc/rc.d -M4_DEFINES= AC_ARG_WITH([sysvinit-path], [AS_HELP_STRING([--with-sysvinit-path=PATH], diff --git a/units/tmp.mount b/units/tmp.mount deleted file mode 100644 index 99a3ba3..000 --- a/units/tmp.mount +++ /dev/null @@ -1,20 +0,0 @@ -# This file is part of systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation; either version 2.1 of the License, or -# (at your option) any later version. - -[Unit] -Description=Temporary Directory -Documentation=man:hier(7) -Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems -DefaultDependencies=no -Conflicts=umount.target -Before=local-fs.target umount.target - -[Mount] -What=tmpfs -Where=/tmp -Type=tmpfs -Options=mode=1777,strictatime diff --git a/units/tmp.mount.m4 b/units/tmp.mount.m4 new file mode 100644 index 000..46c7fcd --- /dev/null +++ b/units/tmp.mount.m4 @@ -0,0 +1,22 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Temporary Directory +Documentation=man:hier(7) +Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +DefaultDependencies=no +Conflicts=umount.target +Before=local-fs.target umount.target + +[Mount] +What=tmpfs +Where=/tmp +Type=tmpfs +m4_ifdef(`HAVE_SMACK', +`Options=mode=1777,strictatime,smackfsroot=*', +`Options=mode=1777,strictatime') -- 1.7.9.5 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Mon, 28.10.13 19:44, WaLyong Cho (walyong@samsung.com) wrote: At the same reason of /run and /dev/shm, when systemd is running with SMACK, countless tasks are failed by missed privilege. To avoid, /tmp is assigned '*' label. Won't this break if people compile systemd with SMACK enabled but run a kernel that has it disabled? We had a similar problem for the other mounts like /run, where we found a somewhat nice solution, but I am not sure how we can make the same work here... Lennart --- Makefile.am| 10 ++ configure.ac |4 +++- units/tmp.mount| 20 units/tmp.mount.m4 | 22 ++ 4 files changed, 31 insertions(+), 25 deletions(-) delete mode 100644 units/tmp.mount create mode 100644 units/tmp.mount.m4 diff --git a/Makefile.am b/Makefile.am index 4a96a50..6c977e8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -399,7 +399,6 @@ dist_systemunit_DATA = \ units/sys-kernel-config.mount \ units/sys-kernel-debug.mount \ units/sys-fs-fuse-connections.mount \ - units/tmp.mount \ units/printer.target \ units/sound.target \ units/bluetooth.target \ @@ -444,7 +443,8 @@ nodist_systemunit_DATA = \ units/initrd-cleanup.service \ units/initrd-udevadm-cleanup-db.service \ units/initrd-switch-root.service \ - units/systemd-nspawn@.service + units/systemd-nspawn@.service \ + units/tmp.mount dist_userunit_DATA = \ units/user/default.target \ @@ -488,12 +488,14 @@ EXTRA_DIST += \ units/initrd-cleanup.service.in \ units/initrd-udevadm-cleanup-db.service.in \ units/initrd-switch-root.service.in \ - units/systemd-nsp...@.service.in + units/systemd-nsp...@.service.in \ + units/tmp.mount.m4 CLEANFILES += \ units/console-shell.service.m4 \ units/console-getty.service.m4 \ - units/rescue.service.m4 + units/rescue.service.m4 \ + units/tmp.mount.m4 if HAVE_SYSV_COMPAT nodist_systemunit_DATA += \ diff --git a/configure.ac b/configure.ac index 7e41d57..65268e8 100644 --- a/configure.ac +++ b/configure.ac @@ -503,6 +503,8 @@ AC_SUBST(XATTR_LIBS) AM_CONDITIONAL([HAVE_XATTR], [test x$have_xattr != xno]) # -- +M4_DEFINES= + AC_ARG_ENABLE([smack], AS_HELP_STRING([--disable-smack],[Disable optional SMACK support]), [case ${enableval} in yes) have_smack=yes ;; @@ -531,6 +533,7 @@ AS_HELP_STRING([--with-smack-run-label=STRING], if test x${have_smack} = xyes ; then AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available]) +M4_DEFINES=$M4_DEFINES -DHAVE_SMACK fi # -- @@ -891,7 +894,6 @@ AM_CONDITIONAL(ENABLE_MANPAGES, [test x$have_manpages = xyes]) # Location of the init scripts as mandated by LSB SYSTEM_SYSVINIT_PATH=/etc/init.d SYSTEM_SYSVRCND_PATH=/etc/rc.d -M4_DEFINES= AC_ARG_WITH([sysvinit-path], [AS_HELP_STRING([--with-sysvinit-path=PATH], diff --git a/units/tmp.mount b/units/tmp.mount deleted file mode 100644 index 99a3ba3..000 --- a/units/tmp.mount +++ /dev/null @@ -1,20 +0,0 @@ -# This file is part of systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation; either version 2.1 of the License, or -# (at your option) any later version. - -[Unit] -Description=Temporary Directory -Documentation=man:hier(7) -Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems -DefaultDependencies=no -Conflicts=umount.target -Before=local-fs.target umount.target - -[Mount] -What=tmpfs -Where=/tmp -Type=tmpfs -Options=mode=1777,strictatime diff --git a/units/tmp.mount.m4 b/units/tmp.mount.m4 new file mode 100644 index 000..46c7fcd --- /dev/null +++ b/units/tmp.mount.m4 @@ -0,0 +1,22 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Temporary Directory +Documentation=man:hier(7) +Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +DefaultDependencies=no +Conflicts=umount.target +Before=local-fs.target umount.target + +[Mount] +What=tmpfs +Where=/tmp +Type=tmpfs +m4_ifdef(`HAVE_SMACK', +`Options=mode=1777,strictatime,smackfsroot=*', +`Options=mode=1777,strictatime') Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Mon, Oct 28, 2013 at 3:44 AM, WaLyong Cho walyong@samsung.com wrote: At the same reason of /run and /dev/shm, when systemd is running with SMACK, countless tasks are failed by missed privilege. To avoid, /tmp is assigned '*' label. We discussed this problem earlier in our office last week as we're looking in to the same issues here, but the solution in this patch is very problematic: +m4_ifdef(`HAVE_SMACK', +`Options=mode=1777,strictatime,smackfsroot=*', +`Options=mode=1777,strictatime') The issue is here - the way you pass these options into tmp.mount make it so that everyone who has compiled systemd with Smack enabled cause them to attempt to mount tmpfs with these smack option. This is a problem since: 1) mount fails if the option smackfsroot=* is not known, and because 2) if the kernel was not booted with Smack, the option is not known/invalid and most importantly: 3) everyone who compiles systemd with xattr support will have Smack enabled too, even if they did not pass --enable-smack to configure. In short, you'd break everyone's tmp.mount with this patch. Patches like this need to stay out of the upstream tree, until we figure out how to automatically retry without these Smack specific options, or some other more elegant solution that doesn't break everyone else. Cheers, Auke ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Mon, Oct 28, 2013 at 8:58 AM, Lennart Poettering lenn...@poettering.net wrote: On Mon, 28.10.13 19:44, WaLyong Cho (walyong@samsung.com) wrote: At the same reason of /run and /dev/shm, when systemd is running with SMACK, countless tasks are failed by missed privilege. To avoid, /tmp is assigned '*' label. Won't this break if people compile systemd with SMACK enabled but run a kernel that has it disabled? We had a similar problem for the other mounts like /run, where we found a somewhat nice solution, but I am not sure how we can make the same work here... Our posts intersected, badly. Yes, as I said in my mail, this sadly does a bad job for those folks running with smack enabled in systemd but with it disabled in the kernel. For Tizen, we're thinking of just keeping this patch out of tree (and it will just be a one-liner). We could do a ConditionSecurity=Smack, or something like that (ottomh) but we'd get duplicate tmp mounts, which is bad due to the way we name mount units. ick. Auke ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Mon, 28.10.13 12:59, Kok, Auke-jan H (auke-jan.h@intel.com) wrote: On Mon, Oct 28, 2013 at 8:58 AM, Lennart Poettering lenn...@poettering.net wrote: On Mon, 28.10.13 19:44, WaLyong Cho (walyong@samsung.com) wrote: At the same reason of /run and /dev/shm, when systemd is running with SMACK, countless tasks are failed by missed privilege. To avoid, /tmp is assigned '*' label. Won't this break if people compile systemd with SMACK enabled but run a kernel that has it disabled? We had a similar problem for the other mounts like /run, where we found a somewhat nice solution, but I am not sure how we can make the same work here... Our posts intersected, badly. Yes, as I said in my mail, this sadly does a bad job for those folks running with smack enabled in systemd but with it disabled in the kernel. For Tizen, we're thinking of just keeping this patch out of tree (and it will just be a one-liner). We could do a ConditionSecurity=Smack, or something like that (ottomh) but we'd get duplicate tmp mounts, which is bad due to the way we name mount units. ick. Hmm, here's an idea: there has been a long standig feature request to add a configurable boolean to mount unit files that controls /bin/mount's -s switch. Let's say we call it SloppyOptions=yes/no, or so. Then, we could set this for this unit file and apply the rest of the patch and things should work, and where they don't we can easily reassign to the kernel to respect the -s flag properly. Doing a patch that allows -s to be controlled should be fairly easy, would be happy to merge a patch for that! Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.
On Mon, Oct 28, 2013 at 1:09 PM, Lennart Poettering lenn...@poettering.net wrote: On Mon, 28.10.13 12:59, Kok, Auke-jan H (auke-jan.h@intel.com) wrote: On Mon, Oct 28, 2013 at 8:58 AM, Lennart Poettering lenn...@poettering.net wrote: On Mon, 28.10.13 19:44, WaLyong Cho (walyong@samsung.com) wrote: At the same reason of /run and /dev/shm, when systemd is running with SMACK, countless tasks are failed by missed privilege. To avoid, /tmp is assigned '*' label. Won't this break if people compile systemd with SMACK enabled but run a kernel that has it disabled? We had a similar problem for the other mounts like /run, where we found a somewhat nice solution, but I am not sure how we can make the same work here... Our posts intersected, badly. Yes, as I said in my mail, this sadly does a bad job for those folks running with smack enabled in systemd but with it disabled in the kernel. For Tizen, we're thinking of just keeping this patch out of tree (and it will just be a one-liner). We could do a ConditionSecurity=Smack, or something like that (ottomh) but we'd get duplicate tmp mounts, which is bad due to the way we name mount units. ick. Hmm, here's an idea: there has been a long standig feature request to add a configurable boolean to mount unit files that controls /bin/mount's -s switch. Let's say we call it SloppyOptions=yes/no, or so. Then, we could set this for this unit file and apply the rest of the patch and things should work, and where they don't we can easily reassign to the kernel to respect the -s flag properly. Doing a patch that allows -s to be controlled should be fairly easy, would be happy to merge a patch for that! ahhh I hadn't even seen -s in /bin/mount yet, so I can see this helping out a lot. I'd be okay with a solution like that, it would certainly simplify things a lot, but we need to be careful not to overload mount options with all sorts of nonstandard options - it will make problems harder to debug and for some of these security enabled systems we will most likely want to actually _not_ use -s. After all, we want to make sure we're actually booting with properly setup Smack options e.g. a typo in 'nodev,nosuid,nexec' could be disastrous. (typo deliberate). Auke ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel