subject:"\[systemd\-devel\] \[PATCH\] tmpfiles\: only change device permissions if mknod succeeded"

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

2014-10-29 Thread Jan Synacek

Tom Gundersen t...@jklm.no writes:

 On Mon, Oct 27, 2014 at 4:53 PM, Tom Gundersen t...@jklm.no wrote:
 On Mon, Oct 27, 2014 at 4:48 PM, Lennart Poettering
 mzerq...@0pointer.de wrote:
 On Sat, 25.10.14 01:36, Tom Gundersen (t...@jklm.no) wrote:

 On Mon, Oct 20, 2014 at 9:32 PM, Lennart Poettering
 lenn...@poettering.net wrote:
  On Tue, 14.10.14 16:19, Jan Synacek (jsyna...@redhat.com) wrote:
 
  https://bugzilla.redhat.com/show_bug.cgi?id=1147248
 
  Hmm, so far tmpfiles always adjust access modes, for all types of
  lines, if that's possible. I think this makes sense. The bug
  referenced above seems to suggest though that the access mode of the
  /dev/fuse file node is specified differently in two places
  though. This sounds like something to fix first?

 Well, the /run/tmpfiles.d/kmod.conf one is what the kernel exposes,
 and then the udev rules overrides this. We could surely fix this case,
 but in general I think we should expect that these may differ.

 To me it seems that we should not create devices nodes at all, except
 in systemd-tmpfiles-setup-dev.service, the reason being that udev
 rules are only applied to static nodes at udev startup, so any device
 nodes created (or changed) after that may end up with the wrong
 permissions (as seen here).

 Hmm, so does this mean that the kmod tmpfiles converter really should
 suffixits lines with the exclamation mark? That way, only invocation
 of tmpfiles with --boot would honour those files, which are the ones
 we start at boot.

 Does that make sense?


 Yes, indeed, this is precisely what we want. I had missed that
 feature. I'll do a patch.


 And done: http://permalink.gmane.org/gmane.linux.kernel.modules/1402.

 Jan, does this look like it solves the original problem?

 Cheers,

 Tom

On my current rawhide (updated today, systemd-216-11.fc22.x86_64), with
kmod patched using the patch you've provided, /dev/fuse is not created,
not even on boot. However, invoking systemd-tmpfiles.d --create --boot
correctly creates the node.

# cat /run/tmpfiles.d/kmod.conf 
c! /dev/fuse 0600 - - - 10:229
c! /dev/btrfs-control 0600 - - - 10:234
c! /dev/loop-control 0600 - - - 10:237
d /dev/net 0755 - - -
c! /dev/net/tun 0600 - - - 10:200
c! /dev/ppp 0600 - - - 108:0
c! /dev/uinput 0600 - - - 10:223
c! /dev/uhid 0600 - - - 10:239
d /dev/vfio 0755 - - -
c! /dev/vfio/vfio 0600 - - - 10:196
c! /dev/vhci 0600 - - - 10:137
c! /dev/vhost-net 0600 - - - 10:238
d /dev/snd 0755 - - -
c! /dev/snd/timer 0600 - - - 116:33
d /dev/snd 0755 - - -
c! /dev/snd/seq 0600 - - - 116:1

Is that how it should work?

Cheers,
-- 
Jan Synacek
Software Engineer, Red Hat


signature.asc
Description: PGP signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

2014-10-29 Thread Tom Gundersen

On Wed, Oct 29, 2014 at 10:37 AM, Jan Synacek jsyna...@redhat.com wrote:
 Tom Gundersen t...@jklm.no writes:

 On Mon, Oct 27, 2014 at 4:53 PM, Tom Gundersen t...@jklm.no wrote:
 On Mon, Oct 27, 2014 at 4:48 PM, Lennart Poettering
 mzerq...@0pointer.de wrote:
 On Sat, 25.10.14 01:36, Tom Gundersen (t...@jklm.no) wrote:

 On Mon, Oct 20, 2014 at 9:32 PM, Lennart Poettering
 lenn...@poettering.net wrote:
  On Tue, 14.10.14 16:19, Jan Synacek (jsyna...@redhat.com) wrote:
 
  https://bugzilla.redhat.com/show_bug.cgi?id=1147248
 
  Hmm, so far tmpfiles always adjust access modes, for all types of
  lines, if that's possible. I think this makes sense. The bug
  referenced above seems to suggest though that the access mode of the
  /dev/fuse file node is specified differently in two places
  though. This sounds like something to fix first?

 Well, the /run/tmpfiles.d/kmod.conf one is what the kernel exposes,
 and then the udev rules overrides this. We could surely fix this case,
 but in general I think we should expect that these may differ.

 To me it seems that we should not create devices nodes at all, except
 in systemd-tmpfiles-setup-dev.service, the reason being that udev
 rules are only applied to static nodes at udev startup, so any device
 nodes created (or changed) after that may end up with the wrong
 permissions (as seen here).

 Hmm, so does this mean that the kmod tmpfiles converter really should
 suffixits lines with the exclamation mark? That way, only invocation
 of tmpfiles with --boot would honour those files, which are the ones
 we start at boot.

 Does that make sense?


 Yes, indeed, this is precisely what we want. I had missed that
 feature. I'll do a patch.


 And done: http://permalink.gmane.org/gmane.linux.kernel.modules/1402.

 Jan, does this look like it solves the original problem?

 Cheers,

 Tom

 On my current rawhide (updated today, systemd-216-11.fc22.x86_64), with
 kmod patched using the patch you've provided, /dev/fuse is not created,
 not even on boot. However, invoking systemd-tmpfiles.d --create --boot
 correctly creates the node.

 # cat /run/tmpfiles.d/kmod.conf
 c! /dev/fuse 0600 - - - 10:229
 c! /dev/btrfs-control 0600 - - - 10:234
 c! /dev/loop-control 0600 - - - 10:237
 d /dev/net 0755 - - -
 c! /dev/net/tun 0600 - - - 10:200
 c! /dev/ppp 0600 - - - 108:0
 c! /dev/uinput 0600 - - - 10:223
 c! /dev/uhid 0600 - - - 10:239
 d /dev/vfio 0755 - - -
 c! /dev/vfio/vfio 0600 - - - 10:196
 c! /dev/vhci 0600 - - - 10:137
 c! /dev/vhost-net 0600 - - - 10:238
 d /dev/snd 0755 - - -
 c! /dev/snd/timer 0600 - - - 116:33
 d /dev/snd 0755 - - -
 c! /dev/snd/seq 0600 - - - 116:1

 Is that how it should work?

Yes, you also need systemd v217, as that adds the --boot argument to
systemd-tmpfiles-setup-dev.service.

Cheers,

Tom
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

2014-10-27 Thread Lennart Poettering

On Sat, 25.10.14 01:36, Tom Gundersen (t...@jklm.no) wrote:

 On Mon, Oct 20, 2014 at 9:32 PM, Lennart Poettering
 lenn...@poettering.net wrote:
  On Tue, 14.10.14 16:19, Jan Synacek (jsyna...@redhat.com) wrote:
 
  https://bugzilla.redhat.com/show_bug.cgi?id=1147248
 
  Hmm, so far tmpfiles always adjust access modes, for all types of
  lines, if that's possible. I think this makes sense. The bug
  referenced above seems to suggest though that the access mode of the
  /dev/fuse file node is specified differently in two places
  though. This sounds like something to fix first?
 
 Well, the /run/tmpfiles.d/kmod.conf one is what the kernel exposes,
 and then the udev rules overrides this. We could surely fix this case,
 but in general I think we should expect that these may differ.
 
 To me it seems that we should not create devices nodes at all, except
 in systemd-tmpfiles-setup-dev.service, the reason being that udev
 rules are only applied to static nodes at udev startup, so any device
 nodes created (or changed) after that may end up with the wrong
 permissions (as seen here).

Hmm, so does this mean that the kmod tmpfiles converter really should
suffixits lines with the exclamation mark? That way, only invocation
of tmpfiles with --boot would honour those files, which are the ones
we start at boot.

Does that make sense?

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

2014-10-27 Thread Tom Gundersen

On Mon, Oct 27, 2014 at 4:48 PM, Lennart Poettering
mzerq...@0pointer.de wrote:
 On Sat, 25.10.14 01:36, Tom Gundersen (t...@jklm.no) wrote:

 On Mon, Oct 20, 2014 at 9:32 PM, Lennart Poettering
 lenn...@poettering.net wrote:
  On Tue, 14.10.14 16:19, Jan Synacek (jsyna...@redhat.com) wrote:
 
  https://bugzilla.redhat.com/show_bug.cgi?id=1147248
 
  Hmm, so far tmpfiles always adjust access modes, for all types of
  lines, if that's possible. I think this makes sense. The bug
  referenced above seems to suggest though that the access mode of the
  /dev/fuse file node is specified differently in two places
  though. This sounds like something to fix first?

 Well, the /run/tmpfiles.d/kmod.conf one is what the kernel exposes,
 and then the udev rules overrides this. We could surely fix this case,
 but in general I think we should expect that these may differ.

 To me it seems that we should not create devices nodes at all, except
 in systemd-tmpfiles-setup-dev.service, the reason being that udev
 rules are only applied to static nodes at udev startup, so any device
 nodes created (or changed) after that may end up with the wrong
 permissions (as seen here).

 Hmm, so does this mean that the kmod tmpfiles converter really should
 suffixits lines with the exclamation mark? That way, only invocation
 of tmpfiles with --boot would honour those files, which are the ones
 we start at boot.

 Does that make sense?


Yes, indeed, this is precisely what we want. I had missed that
feature. I'll do a patch.

Thanks!

Tom
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

2014-10-27 Thread Tom Gundersen

On Mon, Oct 27, 2014 at 4:53 PM, Tom Gundersen t...@jklm.no wrote:
 On Mon, Oct 27, 2014 at 4:48 PM, Lennart Poettering
 mzerq...@0pointer.de wrote:
 On Sat, 25.10.14 01:36, Tom Gundersen (t...@jklm.no) wrote:

 On Mon, Oct 20, 2014 at 9:32 PM, Lennart Poettering
 lenn...@poettering.net wrote:
  On Tue, 14.10.14 16:19, Jan Synacek (jsyna...@redhat.com) wrote:
 
  https://bugzilla.redhat.com/show_bug.cgi?id=1147248
 
  Hmm, so far tmpfiles always adjust access modes, for all types of
  lines, if that's possible. I think this makes sense. The bug
  referenced above seems to suggest though that the access mode of the
  /dev/fuse file node is specified differently in two places
  though. This sounds like something to fix first?

 Well, the /run/tmpfiles.d/kmod.conf one is what the kernel exposes,
 and then the udev rules overrides this. We could surely fix this case,
 but in general I think we should expect that these may differ.

 To me it seems that we should not create devices nodes at all, except
 in systemd-tmpfiles-setup-dev.service, the reason being that udev
 rules are only applied to static nodes at udev startup, so any device
 nodes created (or changed) after that may end up with the wrong
 permissions (as seen here).

 Hmm, so does this mean that the kmod tmpfiles converter really should
 suffixits lines with the exclamation mark? That way, only invocation
 of tmpfiles with --boot would honour those files, which are the ones
 we start at boot.

 Does that make sense?


 Yes, indeed, this is precisely what we want. I had missed that
 feature. I'll do a patch.


And done: http://permalink.gmane.org/gmane.linux.kernel.modules/1402.

Jan, does this look like it solves the original problem?

Cheers,

Tom
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

2014-10-24 Thread Tom Gundersen

On Mon, Oct 20, 2014 at 9:32 PM, Lennart Poettering
lenn...@poettering.net wrote:
 On Tue, 14.10.14 16:19, Jan Synacek (jsyna...@redhat.com) wrote:

 https://bugzilla.redhat.com/show_bug.cgi?id=1147248

 Hmm, so far tmpfiles always adjust access modes, for all types of
 lines, if that's possible. I think this makes sense. The bug
 referenced above seems to suggest though that the access mode of the
 /dev/fuse file node is specified differently in two places
 though. This sounds like something to fix first?

Well, the /run/tmpfiles.d/kmod.conf one is what the kernel exposes,
and then the udev rules overrides this. We could surely fix this case,
but in general I think we should expect that these may differ.

To me it seems that we should not create devices nodes at all, except
in systemd-tmpfiles-setup-dev.service, the reason being that udev
rules are only applied to static nodes at udev startup, so any device
nodes created (or changed) after that may end up with the wrong
permissions (as seen here).

 ---
  src/tmpfiles/tmpfiles.c | 11 +++
  1 file changed, 7 insertions(+), 4 deletions(-)

 diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
 index 8108b43..ae0289d 100644
 --- a/src/tmpfiles/tmpfiles.c
 +++ b/src/tmpfiles/tmpfiles.c
 @@ -824,6 +824,7 @@ static int create_item(Item *i) {
  case CREATE_BLOCK_DEVICE:
  case CREATE_CHAR_DEVICE: {
  mode_t file_type;
 +bool mknod_succeeded;

  if (have_effective_cap(CAP_MKNOD) == 0) {
  /* In a container we lack CAP_MKNOD. We
 @@ -842,6 +843,7 @@ static int create_item(Item *i) {
  r = mknod(i-path, i-mode | file_type, 
 i-major_minor);
  label_context_clear();
  }
 +mknod_succeeded = (r == 0);

  if (r  0) {
  if (errno == EPERM) {
 @@ -881,10 +883,11 @@ static int create_item(Item *i) {
  }
  }

 -r = item_set_perms(i, i-path);
 -if (r  0)
 -return r;
 -
 +if (mknod_succeeded) {
 +r = item_set_perms(i, i-path);
 +if (r  0)
 +return r;
 +}
  break;
  }

 --
 1.9.3

 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel



 Lennart

 --
 Lennart Poettering, Red Hat
 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

2014-10-20 Thread Lennart Poettering

On Tue, 14.10.14 16:19, Jan Synacek (jsyna...@redhat.com) wrote:

 https://bugzilla.redhat.com/show_bug.cgi?id=1147248

Hmm, so far tmpfiles always adjust access modes, for all types of
lines, if that's possible. I think this makes sense. The bug
referenced above seems to suggest though that the access mode of the
/dev/fuse file node is specified differently in two places
though. This sounds like something to fix first?

 ---
  src/tmpfiles/tmpfiles.c | 11 +++
  1 file changed, 7 insertions(+), 4 deletions(-)
 
 diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
 index 8108b43..ae0289d 100644
 --- a/src/tmpfiles/tmpfiles.c
 +++ b/src/tmpfiles/tmpfiles.c
 @@ -824,6 +824,7 @@ static int create_item(Item *i) {
  case CREATE_BLOCK_DEVICE:
  case CREATE_CHAR_DEVICE: {
  mode_t file_type;
 +bool mknod_succeeded;
  
  if (have_effective_cap(CAP_MKNOD) == 0) {
  /* In a container we lack CAP_MKNOD. We
 @@ -842,6 +843,7 @@ static int create_item(Item *i) {
  r = mknod(i-path, i-mode | file_type, 
 i-major_minor);
  label_context_clear();
  }
 +mknod_succeeded = (r == 0);
  
  if (r  0) {
  if (errno == EPERM) {
 @@ -881,10 +883,11 @@ static int create_item(Item *i) {
  }
  }
  
 -r = item_set_perms(i, i-path);
 -if (r  0)
 -return r;
 -
 +if (mknod_succeeded) {
 +r = item_set_perms(i, i-path);
 +if (r  0)
 +return r;
 +}
  break;
  }
  
 -- 
 1.9.3
 
 ___
 systemd-devel mailing list
 systemd-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/systemd-devel
 


Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

2014-10-14 Thread Jan Synacek

https://bugzilla.redhat.com/show_bug.cgi?id=1147248
---
 src/tmpfiles/tmpfiles.c | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 8108b43..ae0289d 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -824,6 +824,7 @@ static int create_item(Item *i) {
 case CREATE_BLOCK_DEVICE:
 case CREATE_CHAR_DEVICE: {
 mode_t file_type;
+bool mknod_succeeded;
 
 if (have_effective_cap(CAP_MKNOD) == 0) {
 /* In a container we lack CAP_MKNOD. We
@@ -842,6 +843,7 @@ static int create_item(Item *i) {
 r = mknod(i-path, i-mode | file_type, 
i-major_minor);
 label_context_clear();
 }
+mknod_succeeded = (r == 0);
 
 if (r  0) {
 if (errno == EPERM) {
@@ -881,10 +883,11 @@ static int create_item(Item *i) {
 }
 }
 
-r = item_set_perms(i, i-path);
-if (r  0)
-return r;
-
+if (mknod_succeeded) {
+r = item_set_perms(i, i-path);
+if (r  0)
+return r;
+}
 break;
 }
 
-- 
1.9.3

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

Re: [systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

[systemd-devel] [PATCH] tmpfiles: only change device permissions if mknod succeeded

8 matches

Site Navigation

Mail list logo

Footer information