On Tue, 13.03.12 19:38, Roberto Sassu (roberto.sassu@xxxxxxxxx) wrote:
> >> static const MountPoint mount_table[] = {
> >> { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
> >> { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
> >> { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID, true },
> >>+ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
> >
> >Failure to mount securtiyfs might be fatal for _your_ purposes, but I'd
> >wager that not only are some people not interested in this, but some
> >people (myself included) might not even have securityfs in their kernel.
> >
>
> Hi Dave
>
> i think i can change this to false without breaking
> the other code, because at the beginning of the new
> file 'src/ima-setup.c' i check for the IMA support in
> the kernel by checking the existence of the
> '/sys/kernel/security/ima' directory. If the mount
> fails, this will be handled as the same as when the
> IMA support is disabled in the kernel.
> This could be acceptable because IMA requires the
> security filesystem as dependency.
>
> I'll wait for other comments before reposting the patches.
Yes, please change this. It is important to us that systemd works well
on kernels without any special security features enabled.
Also, may I ask you to turn this feature on in configure, by default? I
presume that machines with this feature built into systemd but with no
policy file around will boot just fine, right? Hence enabling this by
default shouldn't hurt.
(The reason that I want this enabled by default is that I -- or other
devs -- build this locally the code as comprehensively as possible so
that things don't start to bitrot that easily)
Lennart
--
Lennart Poettering - Red Hat, Inc.
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
