77646 – use_smack have corrupt cached result if no /sys/fs/smackfs systemd statup

Bug 77646 - use_smack have corrupt cached result if no /sys/fs/smackfs systemd statup

Summary: use_smack have corrupt cached result if no /sys/fs/smackfs systemd statup

Status:	RESOLVED FIXED

Alias:	None

Product:	systemd
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	systemd-bugs
QA Contact:	systemd-bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-18 13:44 UTC by Ronan22
Modified:	2014-06-23 17:05 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
patch fix (1.39 KB, text/plain) 2014-04-18 13:44 UTC, Ronan22	Details
new patch submit (1.48 KB, text/plain) 2014-04-22 08:38 UTC, Ronan22	Details
View All

Description Ronan22 2014-04-18 13:44:51 UTC

Created attachment 97559 [details]
patch fix

You can not put the cached result of use_smack fct,
as you are not sure the "/sys" is mounted.
So for the two first mount from mount_table,
"/proc" and "/sys" result from use_smack should not be cached.

Comment 1 Zbigniew Jedrzejewski-Szmek 2014-04-21 02:46:41 UTC

If I understand the patch description correctly, we are checking for smack before /sys is mounted, i.e. before our test for smack actually works. This is not good, because it means that something depends on smack being enabled, and we'd be taking the wrong branch even with your patch, and only afterwards taking the proper branch. Is this patch trying to fix some concrete problem? Can you describe the behaviour you're seeing more closely?

Comment 2 Lennart Poettering 2014-04-22 04:55:07 UTC

I'd prefer if we added a retest_smack() call akin to the existing retest_selinux() we already have, that simply resets the cached bool after enabling smack.

Comment 3 Ronan22 2014-04-22 08:32:58 UTC

When systemd do is first "use_smack" ?

-At the begining of systemd (main at src/core/main.c), mount_setup_early is execute.

-mount_setup_early mount each entry of the "mount_table" thow function mount_one.

-mount_one use mkdir_p_label.

-mkdir_p_label use label_mkdir.

-label_mkdir use use_smack.

So At the first mount of the first entry of "mount_table" ("/proc"), the return value of use_smack is cached.

Add a funct "retest_smack()" seems to be heavy to me.

-------------------------------------------------------------------
For me, a cleaner way is to mount "/sys" first (before "/proc").

static const MountPoint mount_table[] = {
        { "sysfs",      "/sys",                      "sysfs",      NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,       MNT_FATAL|MNT_IN_CONTAINER },
        { "proc",       "/proc",                     "proc",       NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,       MNT_FATAL|MNT_IN_CONTAINER },
...

Comment 4 Ronan22 2014-04-22 08:38:58 UTC

Created attachment 97732 [details]
new patch submit

mount /sys before /proc to avoid cache corrupt.

Comment 5 Ronan22 2014-04-22 08:41:33 UTC

Currently, I'm porting Tizen to yocto, and one of the first steep is to activate smack security.

 Currently, I'm test the first image with qemu.

Comment 6 Lennart Poettering 2014-06-23 17:05:12 UTC

OK, looks OK. Let's hope that this won't turn into a game of whack-a-mole where some things need /proc first, and others /sys...

Applied. Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.