On Wed, May 8, 2013 at 8:20 PM, Zbigniew Jędrzejewski-Szmek <[email protected]> wrote: > On Wed, May 08, 2013 at 11:42:34AM -0700, Kok, Auke-jan H wrote: >> On Tue, May 7, 2013 at 5:29 AM, Karol Lewandowski >> <[email protected]> wrote: >> > On 05/07/2013 01:32 PM, Lennart Poettering wrote: >> >> On Tue, 07.05.13 13:21, Karol Lewandowski ([email protected]) >> >> wrote: >> >> >> >> Heya, >> >> >> >> Hmm, does that directory always exist? Or only if AppArmor is actually >> >> runtime enabled? >> > >> > /sys/fs/smackfs is only registered when smack lsm is actually enabled: >> > >> > >> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/smack/smackfs.c?id=e93072374112db9dc86635934ee761249be28370#n2179 >> > >> >> I.e. this check should ideally only return true if SMACK is not only >> >> built into the kernel, but actually really enabled during >> >> runtime. That's what the SELinux check does and what the most useful >> >> semantics are. >> > >> > Ok, I see that libselinux will consider selinux to be disabled also when >> > policy is not loaded: >> > >> > >> > http://userspace.selinuxproject.org/trac/browser/libselinux/src/enabled.c#L12 >> > >> > I guess we could do something similar (inspect /proc/self/attr/current) >> > but honestly, I don't think it's really needed. Rafał, could you correct >> > me >> > if I'm wrong? >> >> smack is different as in that it can function without any loaded >> policies, so looking at policies isn't the right thing for smack. So >> likely looking at the presence of smackfs is exactly the same as >> looking at the preference of /proc/self/attr/current, except the >> latter is more complex, so less desirable imho. > Applied, with a commit message based on this explanation.
FYI, I just added similar code for IMA allowing ConditionSecurity=ima. I will take the AR to ask our Intel security folks if we don't need to do more - as in verify that IMA actually has a policy loaded, but the policy interface for IMA is write-only, so there is no way to find out if a policy was previously written. Cheers, Auke _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
