Re: [systemd-devel] [PATCH] Add AppArmor profile switching

Fri, 14 Feb 2014 05:37:28 -0800 

On Fri, 14.02.14 14:05, Michael Scherer (m...@zarb.org) wrote:

> > >          SD_BUS_PROPERTY("SELinuxContext", "s", NULL, 
> > > offsetof(ExecContext, selinux_context), SD_BUS_VTABLE_PROPERTY_CONST),
> > > +        SD_BUS_PROPERTY("AppArmorProfile", "s", NULL,
> > > offsetof(ExecContext, apparmor_profile),
> > > SD_BUS_VTABLE_PROPERTY_CONST),
> > 
> > Hmm, so thinking about this, we should normalize both these options and
> > turn the "s" signature into "(bs)", i.e. a structure made of a bool and
> > the label, where the bool inidcates whether a non-existing label shall
> > be ignored or not. We have the same split up when serializing exec
> > commands, and we should do that here too...
> 
> So, you want a 2nd property SELinuxcontextIgnore/AppArmorProfileIgnore
> that would be True when SELinuxContext/AppArmorProfile is prefixed by
> '-', or also when SELinux/AppArmor is disabled ?

Nope. Just one property as struct.

> Also, SELinuxContext would be the context without the leading '-',
> correct ?

Correct. The "-" would basically just be a way to denote this in the
unit file, but never stored like that internally nor exported over the bus.

> > > @@ -140,6 +140,8 @@ struct ExecContext {
> > >  
> > >          char *selinux_context;
> > >  
> > > +        char *apparmor_profile;
> > > +
> > 
> > Similar as above, I'd like this to be stored normalized, i.e.:
> > 
> >   bool selinux_context_ignore;
> >   char *selinux_context;
> > 
> >   bool apparmor_profile_ignore;
> >   char *apparmor_profile;
> > 
> > Or similar...
> 
> So that would requires a custom change to load-fragment.c, so I guess
> that's a separate task as we need to apply that to selinuxcontext.

Yupp, there would be two parse functions that can handle
this. (internally, they can probably just invoke a single function that
takes pointers to both the char* and the bool variable)

> So I will provides the change for SELinuxContext, then once accepted,
> send a v3 of the apparmor patch with the code following the "style" of
> SELinuxContext, is this ok ?

Feel free to just send them in a series.

Lennart

-- 
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to