Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.

Lennart Poettering Mon, 28 Oct 2013 12:19:40 -0700

On Mon, 28.10.13 19:44, WaLyong Cho (walyong....@samsung.com) wrote:

> At the same reason of /run and /dev/shm, when systemd is running with
> SMACK, countless tasks are failed by missed privilege.
> To avoid, /tmp is assigned '*' label.


Won't this break if people compile systemd with SMACK enabled but
run a kernel that has it disabled?

We had a similar problem for the other mounts like /run, where we found
a somewhat nice solution, but I am not sure how we can make the same
work here...

Lennart

> ---
>  Makefile.am        |   10 ++++++----
>  configure.ac       |    4 +++-
>  units/tmp.mount    |   20 --------------------
>  units/tmp.mount.m4 |   22 ++++++++++++++++++++++
>  4 files changed, 31 insertions(+), 25 deletions(-)
>  delete mode 100644 units/tmp.mount
>  create mode 100644 units/tmp.mount.m4
> 
> diff --git a/Makefile.am b/Makefile.am
> index 4a96a50..6c977e8 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -399,7 +399,6 @@ dist_systemunit_DATA = \
>       units/sys-kernel-config.mount \
>       units/sys-kernel-debug.mount \
>       units/sys-fs-fuse-connections.mount \
> -     units/tmp.mount \
>       units/printer.target \
>       units/sound.target \
>       units/bluetooth.target \
> @@ -444,7 +443,8 @@ nodist_systemunit_DATA = \
>       units/initrd-cleanup.service \
>       units/initrd-udevadm-cleanup-db.service \
>       units/initrd-switch-root.service \
> -     units/systemd-nspawn@.service
> +     units/systemd-nspawn@.service \
> +     units/tmp.mount
>  
>  dist_userunit_DATA = \
>       units/user/default.target \
> @@ -488,12 +488,14 @@ EXTRA_DIST += \
>       units/initrd-cleanup.service.in \
>       units/initrd-udevadm-cleanup-db.service.in \
>       units/initrd-switch-root.service.in \
> -     units/systemd-nsp...@.service.in
> +     units/systemd-nsp...@.service.in \
> +     units/tmp.mount.m4
>  
>  CLEANFILES += \
>       units/console-shell.service.m4 \
>       units/console-getty.service.m4 \
> -     units/rescue.service.m4
> +     units/rescue.service.m4 \
> +     units/tmp.mount.m4
>  
>  if HAVE_SYSV_COMPAT
>  nodist_systemunit_DATA += \
> diff --git a/configure.ac b/configure.ac
> index 7e41d57..65268e8 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -503,6 +503,8 @@ AC_SUBST(XATTR_LIBS)
>  AM_CONDITIONAL([HAVE_XATTR], [test "x$have_xattr" != xno])
>  
>  # 
> ------------------------------------------------------------------------------
> +M4_DEFINES=
> +
>  AC_ARG_ENABLE([smack], AS_HELP_STRING([--disable-smack],[Disable optional 
> SMACK support]),
>                  [case "${enableval}" in
>                          yes) have_smack=yes ;;
> @@ -531,6 +533,7 @@ AS_HELP_STRING([--with-smack-run-label=STRING],
>  
>  if test "x${have_smack}" = xyes ; then
>          AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available])
> +        M4_DEFINES="$M4_DEFINES -DHAVE_SMACK"
>  fi
>  
>  # 
> ------------------------------------------------------------------------------
> @@ -891,7 +894,6 @@ AM_CONDITIONAL(ENABLE_MANPAGES, [test "x$have_manpages" = 
> "xyes"])
>  # Location of the init scripts as mandated by LSB
>  SYSTEM_SYSVINIT_PATH=/etc/init.d
>  SYSTEM_SYSVRCND_PATH=/etc/rc.d
> -M4_DEFINES=
>  
>  AC_ARG_WITH([sysvinit-path],
>          [AS_HELP_STRING([--with-sysvinit-path=PATH],
> diff --git a/units/tmp.mount b/units/tmp.mount
> deleted file mode 100644
> index 99a3ba3..0000000
> --- a/units/tmp.mount
> +++ /dev/null
> @@ -1,20 +0,0 @@
> -#  This file is part of systemd.
> -#
> -#  systemd is free software; you can redistribute it and/or modify it
> -#  under the terms of the GNU Lesser General Public License as published by
> -#  the Free Software Foundation; either version 2.1 of the License, or
> -#  (at your option) any later version.
> -
> -[Unit]
> -Description=Temporary Directory
> -Documentation=man:hier(7)
> -Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
> -DefaultDependencies=no
> -Conflicts=umount.target
> -Before=local-fs.target umount.target
> -
> -[Mount]
> -What=tmpfs
> -Where=/tmp
> -Type=tmpfs
> -Options=mode=1777,strictatime
> diff --git a/units/tmp.mount.m4 b/units/tmp.mount.m4
> new file mode 100644
> index 0000000..46c7fcd
> --- /dev/null
> +++ b/units/tmp.mount.m4
> @@ -0,0 +1,22 @@
> +#  This file is part of systemd.
> +#
> +#  systemd is free software; you can redistribute it and/or modify it
> +#  under the terms of the GNU Lesser General Public License as published by
> +#  the Free Software Foundation; either version 2.1 of the License, or
> +#  (at your option) any later version.
> +
> +[Unit]
> +Description=Temporary Directory
> +Documentation=man:hier(7)
> +Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
> +DefaultDependencies=no
> +Conflicts=umount.target
> +Before=local-fs.target umount.target
> +
> +[Mount]
> +What=tmpfs
> +Where=/tmp
> +Type=tmpfs
> +m4_ifdef(`HAVE_SMACK',
> +`Options=mode=1777,strictatime,smackfsroot=*',
> +`Options=mode=1777,strictatime')


Lennart

-- 
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] [PATCH] SMACK: assign * label to /tmp when using SMACK.

Reply via email to