bacm address config file no longer generated by service

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I see that the ibacm address configuration file,
/etc/rdma/ibacm_addr.cfg, is no longer generated by the ibacm service.
This change in behavior occurred as a result of service hardening
implemented by patch https://github.com/linux-rdma/rdma-core/commit/c719619aaa0ec2651edc4e5dee9f5ff81208b185.

The patch hardened the ibacm service by adding the following options to
ibacm.service:

> ProtectSystem=full
> ProtectHome=true
> ProtectHostname=true
> ProtectKernelLogs=true

ProtectSystem=full setting makes /etc read-only for processes invoked by
the ibacm service.

As a result, the code that generates the address configuration file (if
it does not exist) fails:

static FILE *acm_open_addr_file(void)
{
        FILE *f;

        if ((f = fopen(addr_file, "r")))
                 return f;

        acm_log(0, "notice - generating %s file\n", addr_file);
        if (!(f = popen(acme, "r"))) {
                acm_log(0, "ERROR - cannot generate %s\n", addr_file);
                return NULL;
        }

        pclose(f);
        return fopen(addr_file, "r");
}

The popen() code above is supposed to generate the file if it does not
exist (i.e., fails the first fopen()). The popen() now fails as a result
of the ProtectSystem option setting.

ibacm(8) does say "If the address file cannot be found, the ibacm
service will attempt to create one using default values."

I guess my question is simply was this change in behavior expected? Are
admins expected to run ib_acme to generate the address configuration
file prior to starting the ibacm service?

Is the popen() code in acm_open_addr_file() being left in place in case
an admin decides to remove the ProtectSystem option from the
ibacm.service file?

Sorry if there was discussion around this previously that I missed.

Thanks.
Mark




[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux