Re: [systemd-devel] [PATCH-v3 1/2] systemd: mount the securityfs filesystem at early stage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/14/2012 05:54 PM, Lennart Poettering wrote:

On Tue, 13.03.12 19:38, Roberto Sassu (roberto.sassu@xxxxxxxxx) wrote:


  static const MountPoint mount_table[] = {
          { "proc",     "/proc",                  "proc",     NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
          { "sysfs",    "/sys",                   "sysfs",    NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
          { "devtmpfs", "/dev",                   "devtmpfs", "mode=755",          MS_NOSUID,                    true },
+        { "securityfs", "/sys/kernel/security", "securityfs", NULL,              MS_NOSUID|MS_NOEXEC|MS_NODEV, true },


Failure to mount securtiyfs might be fatal for _your_ purposes, but I'd
wager that not only are some people not interested in this, but some
people (myself included) might not even have securityfs in their kernel.



Hi Dave

i think i can change this to false without breaking
the other code, because at the beginning of the new
file 'src/ima-setup.c' i check for the IMA support in
the kernel by checking the existence of the
'/sys/kernel/security/ima' directory. If the mount
fails, this will be handled as the same as when the
IMA support is disabled in the kernel.
This could be acceptable because IMA requires the
security filesystem as dependency.

I'll wait for other comments before reposting the patches.


Yes, please change this. It is important to us that systemd works well
on kernels without any special security features enabled.



Hi Lennart

ok, will do.



Also, may I ask you to turn this feature on in configure, by default? I
presume that machines with this feature built into systemd but with no
policy file around will boot just fine, right? Hence enabling this by
default shouldn't hurt.



Sure. Yes, the code returns immediately if the policy file is missing.



(The reason that I want this enabled by default is that I -- or other
devs -- build this locally the code as comprehensively as possible so
that things don't start to bitrot that easily)



This is good, as users will not need to rebuild the RPM with the IMA
feature enabled but they can try this functionality if they want.

Regards

Roberto Sassu



Lennart



--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux