Supervisory Watchdog notification not working when using SmackProcessLabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mi, 01.08.18 11:18, Martin Townsend (mtownsend1973 at gmail.com) wrote:

> @@ -728,7 +729,12 @@ static int manager_setup_notify(Manager *m) {
> 
>                  m->notify_fd = fd;
>                  fd = -1;
> -
> +                r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPIN, "*");
> +                if (r < 0)
> +                        log_error_errno(r, "mac_smack_apply_ip_in_fd: %m");
> +                r = mac_smack_apply_fd(m->notify_fd, SMACK_ATTR_IPOUT, "@");
> +                if (r < 0)
> +                        log_error_errno(r, "mac_smack_apply_ip_out_fd: %m");
>                  log_debug("Using notification socket %s", m->notify_socket);
>          }
> 
> Is there a better way of ensuring /run/systemd/notify can be accessed
> by a service with a User defined SMACK label? or is this patch to
> manager_setup_notify sufficient?

Generally, we upstream rely on submitted patches for everything MAC
related. We do not know the various MACs well enough to be able to
maintain this part of our codebase on our own.

Hence, if the patch like the one above is something we are supposed to
merge upstream, then please post this as PR on our systemd github, and
make sure that someone from SMACK upstream (for example Casey) likes
it and says so on the PR.

Thank you,

Lennart

-- 
Lennart Poettering, Red Hat
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux