Re: [systemd-devel] [PATCH] condition, man: Add support for ConditionSecurity=smack
On Wed, May 8, 2013 at 8:20 PM, Zbigniew Jędrzejewski-Szmek zbys...@in.waw.pl wrote: On Wed, May 08, 2013 at 11:42:34AM -0700, Kok, Auke-jan H wrote: On Tue, May 7, 2013 at 5:29 AM, Karol Lewandowski k.lewando...@samsung.com wrote: On 05/07/2013 01:32 PM, Lennart Poettering wrote: On Tue, 07.05.13 13:21, Karol Lewandowski (k.lewando...@samsung.com) wrote: Heya, Hmm, does that directory always exist? Or only if AppArmor is actually runtime enabled? /sys/fs/smackfs is only registered when smack lsm is actually enabled: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/smack/smackfs.c?id=e93072374112db9dc86635934ee761249be28370#n2179 I.e. this check should ideally only return true if SMACK is not only built into the kernel, but actually really enabled during runtime. That's what the SELinux check does and what the most useful semantics are. Ok, I see that libselinux will consider selinux to be disabled also when policy is not loaded: http://userspace.selinuxproject.org/trac/browser/libselinux/src/enabled.c#L12 I guess we could do something similar (inspect /proc/self/attr/current) but honestly, I don't think it's really needed. Rafał, could you correct me if I'm wrong? smack is different as in that it can function without any loaded policies, so looking at policies isn't the right thing for smack. So likely looking at the presence of smackfs is exactly the same as looking at the preference of /proc/self/attr/current, except the latter is more complex, so less desirable imho. Applied, with a commit message based on this explanation. FYI, I just added similar code for IMA allowing ConditionSecurity=ima. I will take the AR to ask our Intel security folks if we don't need to do more - as in verify that IMA actually has a policy loaded, but the policy interface for IMA is write-only, so there is no way to find out if a policy was previously written. Cheers, Auke ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] condition, man: Add support for ConditionSecurity=smack
On Wed, May 08, 2013 at 11:42:34AM -0700, Kok, Auke-jan H wrote: On Tue, May 7, 2013 at 5:29 AM, Karol Lewandowski k.lewando...@samsung.com wrote: On 05/07/2013 01:32 PM, Lennart Poettering wrote: On Tue, 07.05.13 13:21, Karol Lewandowski (k.lewando...@samsung.com) wrote: Heya, Hmm, does that directory always exist? Or only if AppArmor is actually runtime enabled? /sys/fs/smackfs is only registered when smack lsm is actually enabled: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/smack/smackfs.c?id=e93072374112db9dc86635934ee761249be28370#n2179 I.e. this check should ideally only return true if SMACK is not only built into the kernel, but actually really enabled during runtime. That's what the SELinux check does and what the most useful semantics are. Ok, I see that libselinux will consider selinux to be disabled also when policy is not loaded: http://userspace.selinuxproject.org/trac/browser/libselinux/src/enabled.c#L12 I guess we could do something similar (inspect /proc/self/attr/current) but honestly, I don't think it's really needed. Rafał, could you correct me if I'm wrong? smack is different as in that it can function without any loaded policies, so looking at policies isn't the right thing for smack. So likely looking at the presence of smackfs is exactly the same as looking at the preference of /proc/self/attr/current, except the latter is more complex, so less desirable imho. Applied, with a commit message based on this explanation. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] condition, man: Add support for ConditionSecurity=smack
Signed-off-by: Karol Lewandowski k.lewando...@samsung.com diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 49103da..256c813 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -984,8 +984,9 @@ may be used to check whether the given security module is enabled on the system. Currently the only recognized -values are varnameselinux/varname -and varnameapparmor/varname. +values are varnameselinux/varname, +varnameapparmor/varname and +varnamesmack/varname. The test may be negated by prepending an exclamation mark./para diff --git a/src/core/condition.c b/src/core/condition.c index 4aa5530..16cae6d 100644 --- a/src/core/condition.c +++ b/src/core/condition.c @@ -164,6 +164,8 @@ static bool test_security(const char *parameter) { #endif if (streq(parameter, apparmor)) return access(/sys/kernel/security/apparmor/, F_OK) == 0; + if (streq(parameter, smack)) + return access(/sys/fs/smackfs, F_OK) == 0; return false; } -- 1.7.10.4 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] condition, man: Add support for ConditionSecurity=smack
On Tue, 07.05.13 13:21, Karol Lewandowski (k.lewando...@samsung.com) wrote: Heya, Hmm, does that directory always exist? Or only if AppArmor is actually runtime enabled? I.e. this check should ideally only return true if SMACK is not only built into the kernel, but actually really enabled during runtime. That's what the SELinux check does and what the most useful semantics are. Signed-off-by: Karol Lewandowski k.lewando...@samsung.com diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 49103da..256c813 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -984,8 +984,9 @@ may be used to check whether the given security module is enabled on the system. Currently the only recognized -values are varnameselinux/varname -and varnameapparmor/varname. +values are varnameselinux/varname, +varnameapparmor/varname and +varnamesmack/varname. The test may be negated by prepending an exclamation mark./para diff --git a/src/core/condition.c b/src/core/condition.c index 4aa5530..16cae6d 100644 --- a/src/core/condition.c +++ b/src/core/condition.c @@ -164,6 +164,8 @@ static bool test_security(const char *parameter) { #endif if (streq(parameter, apparmor)) return access(/sys/kernel/security/apparmor/, F_OK) == 0; + if (streq(parameter, smack)) + return access(/sys/fs/smackfs, F_OK) == 0; return false; } Lennart -- Lennart Poettering - Red Hat, Inc. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] condition, man: Add support for ConditionSecurity=smack
On 05/07/2013 01:32 PM, Lennart Poettering wrote: On Tue, 07.05.13 13:21, Karol Lewandowski (k.lewando...@samsung.com) wrote: Heya, Hmm, does that directory always exist? Or only if AppArmor is actually runtime enabled? /sys/fs/smackfs is only registered when smack lsm is actually enabled: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/smack/smackfs.c?id=e93072374112db9dc86635934ee761249be28370#n2179 I.e. this check should ideally only return true if SMACK is not only built into the kernel, but actually really enabled during runtime. That's what the SELinux check does and what the most useful semantics are. Ok, I see that libselinux will consider selinux to be disabled also when policy is not loaded: http://userspace.selinuxproject.org/trac/browser/libselinux/src/enabled.c#L12 I guess we could do something similar (inspect /proc/self/attr/current) but honestly, I don't think it's really needed. Rafał, could you correct me if I'm wrong? Cheers Signed-off-by: Karol Lewandowski k.lewando...@samsung.com diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 49103da..256c813 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -984,8 +984,9 @@ may be used to check whether the given security module is enabled on the system. Currently the only recognized -values are varnameselinux/varname -and varnameapparmor/varname. +values are varnameselinux/varname, +varnameapparmor/varname and +varnamesmack/varname. The test may be negated by prepending an exclamation mark./para diff --git a/src/core/condition.c b/src/core/condition.c index 4aa5530..16cae6d 100644 --- a/src/core/condition.c +++ b/src/core/condition.c @@ -164,6 +164,8 @@ static bool test_security(const char *parameter) { #endif if (streq(parameter, apparmor)) return access(/sys/kernel/security/apparmor/, F_OK) == 0; +if (streq(parameter, smack)) +return access(/sys/fs/smackfs, F_OK) == 0; return false; } Lennart ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel