On Tue, 30.10.12 15:44, Kok, Auke-jan H (auke-jan.h....@intel.com) wrote: > > On Tue, Oct 30, 2012 at 2:56 PM, Lennart Poettering > <lenn...@poettering.net> wrote: > > On Mon, 29.10.12 20:17, Kok, Auke-jan H (auke-jan.h....@intel.com) wrote: > >> yes, you can detect it by reading /proc/filesystems and checking for > >> "smackfs", and > >> if mounted, that it's enabled. > > > > Hmm, I think it's a good idea to mount all API VFS that are around, > > regardless whether the subsystem they are used for is actually really > > enabled. Isn't there a nicer way how to detect whether a SMACK policy is > > actually loaded? > > I started looking at it this morning during a meeting and this looks > easy enough to enable early on, and well worth doing. It's taking the > code from smackctl (which is LGPLv2... so, should be totally fine) and > dropping it in just like setup-ima|selinux. > > There is no "master ON" switch in SMACK (it is always on if compiled > enabled). But you can check if "/smack/load" contains data. If there > are 0 bytes in it, no rules were loaded. fopen()+feof() should > suffice, I think.
feof() is only set after you tried to read at least once. But read(fd, &x, 1) > 0 should do the job. SMACK uses a top-level dir as mount point for its fs? That should really be fixed. We moved all the other file systems (selinux, cgroups, ...) below /sys, and SMACK has no excuse to pollute the root fs for this. Follow the SELinux scheme please and introduce /sys/fs/smack, and use that as default mount point. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
