Bug 77646

Summary: use_smack have corrupt cached result if no /sys/fs/smackfs systemd statup
Product: systemd Reporter: Ronan22 <ronan>
Component: generalAssignee: systemd-bugs
Status: RESOLVED FIXED QA Contact: systemd-bugs
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
i915 platform: i915 features:
Attachments: patch fix
new patch submit

Description Ronan22 2014-04-18 13:44:51 UTC
Created attachment 97559 [details]
patch fix

You can not put the cached result of use_smack fct,
as you are not sure the "/sys" is mounted.
So for the two first mount from mount_table,
"/proc" and "/sys" result from use_smack should not be cached.
Comment 1 Zbigniew Jedrzejewski-Szmek 2014-04-21 02:46:41 UTC
If I understand the patch description correctly, we are checking for smack before /sys is mounted, i.e. before our test for smack actually works. This is not good, because it means that something depends on smack being enabled, and we'd be taking the wrong branch even with your patch, and only afterwards taking the proper branch. Is this patch trying to fix some concrete problem? Can you describe the behaviour you're seeing more closely?
Comment 2 Lennart Poettering 2014-04-22 04:55:07 UTC
I'd prefer if we added a retest_smack() call akin to the existing retest_selinux() we already have, that simply resets the cached bool after enabling smack.
Comment 3 Ronan22 2014-04-22 08:32:58 UTC
When systemd do is first "use_smack" ?

-At the begining of systemd (main at src/core/main.c), mount_setup_early is execute.

-mount_setup_early mount each entry of the "mount_table" thow function mount_one.

-mount_one use mkdir_p_label.

-mkdir_p_label use label_mkdir.

-label_mkdir use use_smack.

So At the first mount of the first entry of "mount_table" ("/proc"), the return value of use_smack is cached.

Add a funct "retest_smack()" seems to be heavy to me.

For me, a cleaner way is to mount "/sys" first (before "/proc").

static const MountPoint mount_table[] = {
        { "sysfs",      "/sys",                      "sysfs",      NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
        { "proc",       "/proc",                     "proc",       NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
Comment 4 Ronan22 2014-04-22 08:38:58 UTC
Created attachment 97732 [details]
new patch submit

mount /sys before /proc to avoid cache corrupt.
Comment 5 Ronan22 2014-04-22 08:41:33 UTC
Currently, I'm porting Tizen to yocto, and one of the first steep is to activate smack security.

 Currently, I'm test the first image with qemu.
Comment 6 Lennart Poettering 2014-06-23 17:05:12 UTC
OK, looks OK. Let's hope that this won't turn into a game of whack-a-mole where some things need /proc first, and others /sys...

Applied. Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.