New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove capabilities after setting SmackLabel of executed processes. #7108
Comments
The version of systemd you use is old. Please read CONTRIBUTING.md
Anyway, the change is done by 5cd9cd3. And it seems that the logic in the current code is almost same as that time. I am not sure that your approach is right or not. But if the patch works fine for you, I recommend you to create a PR by rebasing it on top of the current master. |
@walyong any chance you can comment here? you appears to be the best SMACK guru to comment on this? @jobol note that the maintainers of systemd do not use or run SMACK, we rely on contributors such as @walyong to submit and review relevant patches. Anyway, if you have a proposed fix, please file it as PR for us to consider it. |
Thank you @yuwata and @poettering for your clear advises. I now understand that you have no specific already forged thoughts about what it has to be for smack related things. We are agreeing together that the exec must be done with the label set by SmackExecLabel except if prefixed with +. That matters. I'll wait a little for the advises of @walyong. I guess that the next step will be to go deeper in the understanding of the code (that I only reviewed fast) to propose some really appropriate code. |
I'm also using very old version of systemd now. (Because of kernel dependency.) But I'd looked into recent systemd code. And I found below comments:
@poettering I think there is some of similar issue in exec restriction. #3993. |
yeah, i cleaned up the execute.c order a bit, so that all MAC transitions are done at the same location. If SMACK transitions require more privileges than SELinux transitions, then I figure we need to move that back. Sorry for breaking that. I cannot test that unfortunately. Any chance you can look into this, and provide a patch that makes this work again for SMACK? |
Smack needs CAP_MAC_ADMIN. All explained. |
Yeah. Why not? :) Agree. |
I think the way to end this would be to implement a new way in kernel to set SMACK label that is delayed to |
With privilege: write the label you want to change to into /sys/fs/smackfs/relabel-self. |
Smack issues of all sorts should be sent to smack-discuss@lists.01.org and casey@schaufler-ca.com. |
see #7378 |
Closing, since #7378 has been merged. |
Submission type
systemd version the issue has been seen with
Used distribution
In case of bug report: Expected behaviour you didn't see
In case of bug report: Unexpected behaviour you saw
In case of bug report: Steps to reproduce the problem
Put in the unit file:
Then any process to start raise an error.
Appendice
I would really like to get your opinion on the topic because I can not believe that there is a mistake here on your side. So there is perhaps an other way to solve that issue. Some time ago (and some version ago) I had a look at how capabilities were handled when setting security context. IIRC it was well done so I'm surprized to raise that issue.
I use a patch to avoid the issue, it set smack label before dropping capabilities: https://gerrit.automotivelinux.org/gerrit/gitweb?p=AGL/meta-agl.git;a=blob_plain;f=meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch;h=a0e7456f82a5cfa3c391ce4d23260fdca8dec476;hb=e46ae4ae39e8b8924c86f213c14791573a10c9b0
The text was updated successfully, but these errors were encountered: