Smack: Test if smack is enabled before mounting

Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 10:52:15 -07:00 · 2013-10-09 10:52:15 -07:00 · 8552b17660
parent 463b5dbb0d
commit 8552b17660
4 changed files with 72 additions and 5 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -723,7 +723,9 @@ libsystemd_shared_la_SOURCES = \
 	src/shared/boot-timestamps.c \
 	src/shared/refcnt.h \
 	src/shared/mkdir.c \
-	src/shared/mkdir.h
+	src/shared/mkdir.h \
+	src/shared/smack-util.c \
+	src/shared/smack-util.h

 #-------------------------------------------------------------------------------
 noinst_LTLIBRARIES += \
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@ -42,6 +42,7 @@
 #include "missing.h"
 #include "virt.h"
 #include "efivars.h"
+#include "smack-util.h"

 #ifndef TTY_GID
 #define TTY_GID 5
@ -77,11 +78,11 @@ static const MountPoint mount_table[] = {
          NULL,       MNT_FATAL|MNT_IN_CONTAINER },
        { "securityfs", "/sys/kernel/security",      "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
          NULL,       MNT_NONE },
-        { "smackfs",    "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
-          NULL,       MNT_NONE },
 #ifdef HAVE_SMACK
+        { "smackfs",    "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
+          use_smack,  MNT_FATAL },
        { "tmpfs",      "/dev/shm",                  "tmpfs",      "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
-          NULL,       MNT_IN_CONTAINER },
+          use_smack,  MNT_FATAL },
 #endif
        { "tmpfs",      "/dev/shm",                  "tmpfs",      "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          NULL,       MNT_FATAL|MNT_IN_CONTAINER },
@ -89,7 +90,7 @@ static const MountPoint mount_table[] = {
          NULL,       MNT_IN_CONTAINER },
 #ifdef HAVE_SMACK
        { "tmpfs",      "/run",                      "tmpfs",      "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
-          NULL,       MNT_IN_CONTAINER },
+          use_smack,  MNT_FATAL },
 #endif
        { "tmpfs",      "/run",                      "tmpfs",      "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
          NULL,       MNT_FATAL|MNT_IN_CONTAINER },
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@ -0,0 +1,36 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+  This file is part of systemd.
+
+  Copyright 2013 Intel Corporation
+
+  Author: Auke Kok <auke-jan.h.kok@intel.com>
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include "smack-util.h"
+
+#include <unistd.h>
+
+static int use_smack_cached = -1;
+
+bool use_smack(void) {
+
+        if (use_smack_cached < 0)
+                use_smack_cached = (access("/sys/fs/smackfs", F_OK) >= 0);
+
+        return use_smack_cached;
+}
--- a/src/shared/smack-util.h
+++ b/src/shared/smack-util.h
@ -0,0 +1,28 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#pragma once
+
+/***
+  This file is part of systemd.
+
+  Copyright 2013 Intel Corporation
+
+  Author: Auke Kok <auke-jan.h.kok@intel.com>
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <stdbool.h>
+
+bool use_smack(void);