> -----Original Message----- > From: Lennart Poettering [mailto:[email protected]] > Sent: Tuesday, October 30, 2012 3:50 PM > To: Kok, Auke-jan H > Cc: Schaufler, Casey; [email protected] > Subject: Re: [PATCH] SMACK: Add configuration options. (v3) > > On Tue, 30.10.12 15:44, Kok, Auke-jan H ([email protected]) > wrote: > > > > > On Tue, Oct 30, 2012 at 2:56 PM, Lennart Poettering > > <[email protected]> wrote: > > > On Mon, 29.10.12 20:17, Kok, Auke-jan H ([email protected]) > wrote: > > >> yes, you can detect it by reading /proc/filesystems and checking > > >> for "smackfs", and if mounted, that it's enabled. > > > > > > Hmm, I think it's a good idea to mount all API VFS that are around, > > > regardless whether the subsystem they are used for is actually > > > really enabled. Isn't there a nicer way how to detect whether a > > > SMACK policy is actually loaded? > > > > I started looking at it this morning during a meeting and this looks > > easy enough to enable early on, and well worth doing. It's taking the > > code from smackctl (which is LGPLv2... so, should be totally fine) > and > > dropping it in just like setup-ima|selinux. > > > > There is no "master ON" switch in SMACK (it is always on if compiled > > enabled). But you can check if "/smack/load" contains data. If there > > are 0 bytes in it, no rules were loaded. fopen()+feof() should > > suffice, I think. > > feof() is only set after you tried to read at least once. But read(fd, > &x, 1) > 0 should do the job. > > SMACK uses a top-level dir as mount point for its fs?
Yup. That was the convention at the time Smack was introduced. > That should > really be fixed. We moved all the other file systems (selinux, cgroups, > ...) below /sys, No one said boo about Smack at the time. > and SMACK has no excuse to pollute the root fs for > this. Sure Smack does. But that's neither here nor there. > Follow the SELinux scheme please and introduce /sys/fs/smack, and use > that as default mount point. I have been advocating standardization of LSM interfaces for some time. The apparmor folks put theirs at /sys/kernel/security/apparmor. I would hardly say that /sys/fs/smack would be better than /sys/kernel/security/smack. I plan to move it when there's a consensus of where LSM filesystems should go, or when there's a compelling reason to go someplace in particular. I'm afraid that "SELinux does in this way" is not an argument *by itself* that goes very far with the Smack project. > > Lennart > > -- > Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
