Mounting /sys/fs/cgroup/unified with SMACK label

[stfl]

I am working with systemd and SMACK on Yocto 2.5.1 (Sumo).
Systemd version: 237
As far as I've seen, there where no changes with smack in recent versions that would affect this

Similar to Tizen systemd runs with the "System" SMACK label. -Dsmack-run-label=System

mount:

/dev/mmcblk1p2 on / type ext4 (rw,relatime,data=ordered)
devtmpfs on /dev type devtmpfs (rw,relatime,size=74556k,nr_inodes=18639,mode=755)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
smackfs on /sys/fs/smackfs type smackfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
configfs on /sys/kernel/config type configfs (rw,relatime)

# ls -lZ /sys/fs/cgroup/ -a
total 0
drwxr-xr-x. 4 root root * 80 Oct 23 09:30 .
drwxr-xr-x  5 root root _  0 Jan  1  2000 ..
dr-xr-xr-x. 4 root root *  0 Oct 23 09:30 systemd
dr-xr-xr-x  4 root root _  0 Oct 23 09:30 unified

Everything in /sys/fs/cgroup/systemd has '*' and everyting in /sys/fs/cgroup/unified has '_'.

In order to use '' in /sys/fs/smackfs/onlycap (which drops the CAP_SMACK_ADMIN and OVERWRITE capabailities for root itself) I need to give root and the System label access to /sys/fs/cgroup/unified.
So I need this to be mounted with '' similar how it's already done in /sys/fs/cgroup/systemd

I see there is some code to relabel the mountpoint at boot in #2205
I assume that this does not affect /sys/fs/cgroup/unified ?!

Is there any way to change the mount options or extend the relabeling?

[poettering]

We rely on contributor patches when it comes to SMACK, as none of us upstream folks run SMACK. Hence, please find somebody from the SMACK camp to help you with this and provide us with a patch that fixes this.

My educated guess is that there's some relabel command missing somewhere in our code when the hybrid cgroup logic is used. But I can't provide you with a bugfix patch, as I can't test this. Sorry.

[stfl]

Thanks for the reply.
I checked tizen source and they are running systemd 231 which shows nothing about hybrid in mount-setup.c
For now I am using -Ddefault-hirarchy=lagacy with the mount options from tizen's systemd.

Seams to work for now.

I'll forward to the smack team.
Let's hope there will be a patch upstream once tizen updates it's systemd.

[poettering]

Hmm, let's close this here, this is not actionable for us, as we don#t use SMACK. Happy to review/merge a patch for this if this is still an issue, but otherwise there's no point in keeping this open, since we can't fix it really.