init: optionally load the system SELinux policy #400
Conversation
WavyEbuilder
force-pushed
the
master
branch
2 times, most recently
from
5952f94 to
35df218
Compare
|
Current TODO (just to note I am aware of it) is to link against libselinux in the Makefile. |
|
I've added an --enable--selinux option to the configure script, however I am not really sure how best to go about linking against libselinux as it is an optional dependency. Any advice in this regard? |
|
Think I've got that sorted by passing a linker flag. |
|
I will review properly when I get a chance. I don't know a heap about SELinux so bare with me. A couple of things I will point out now though:
|
|
Hey! Appreciate the fast response.
A lot of the other init systems mentioned /dev/console not being available at that point in time (which is a reasonable assumption as if the policy fails to load there is a good chance SELinux would block access to /dev/console). I had a quite glance through dinit-log.cc and it appears like it just uses stdout - would this be correct?
I'll make sure to change that to use
Generally the command-line option is provided to the kernel cmdline (which the
I'll make sure to do that |
|
Also, would you like me to commit any changes as separate commits until you are happy with it so you can see the diffs between changes a bit easier, or would rebasing be preferred? |
|
Alright took a look at this a bit more thoroughly and I have a few design questions to raise quickly, notably regarding
static int initialize_security(
bool *loaded_policy,
dual_timestamp *security_start_timestamp,
dual_timestamp *security_finish_timestamp,
const char **ret_error_message);Then we could just call our implementation of a similar function once in dinit_main (ideally as early as possible, being security frameworks it makes sense to attempt to load them as early as possible). Now given that we have C++ to hand here, I was wondering how to go about propagating errors back. Being C++11, we don't have anything like
I think that'd be a reasonable way of structuring things, but being my first PR to dinit and my first real work on a C++ project below 14, your input would be greatly appreciated. Thanks! |
Log any relevant message (via
If we're just talking about adding a single method, I don't see any advantage in doing that now, as it can easily be done if and when support for other security frameworks are added. Let's just keep it simple.
Ok, that sounds fine. |
Actually, thinking about this more, there may still be cases where SELinux is enabled but the loading of the policy should not be performed. One example is given by the Systemd code here. Also, can you clarify what this might mean? I want to know what file descriptors SELinux would keep open and in what circumstances. Are you doing this work for a distribution or is it a more personal endeavour? |
|
(Finally: make sure you have read CONTRIBUTING and CODE-STYLE documents, if you haven't already. Thanks!). |
Got it, thanks :)
Yup, makes sense, should be fairly easy with to deal in the future. Will do!
That's a good example. For that specific initrd case, I had a look at systemd's /* If /etc/initrd-release exists, we're in an initrd.
* This can be overridden by setting SYSTEMD_IN_INITRD=0|1.
*/ Would you like to do the same with an override here? (maybe something more like DINIT_IN_INITRD) If you'd still like to add a flag override of some sorts to tell dinit to not load the selinux policy, I feel like that should be an opt in sort of thing, because while not loading the selinux policy won't load any of the user's policy, it doesn't mean selinux won't be loaded. In that case, everything runs in the
Afaik this is generally in the case of when it needs to audit something related to that fd so it keeps it open for a bit? I remember seeing something similar in the past, but I'm not exactly too happy with that answer as I can't answer it with 100% confidence, so if that's okay I'll do a bit of digging in the libselinux docs and get back to you on that.
I'm currently using Gentoo and dinit on basically all of my systems (which doesn't have upstream Gentoo support currently), however I am hoping to try improving the support (and maybe possibly getting official support) for dinit for both Adelie and Gentoo (nothing offical, just me on my own there, though I have spoken to some developers of the respective distros about that, but absoloutly nothing really offical yet). This specific piece of work was started when I hit a few weird bugs with my SELinux policy while dealing with a few ebuilds for dinit related to SELinux (policy for it), so in the future as Gentoo has offical SELinux support it might be useful, but for now really just take it as a personal endeavour, I'm not affiliated with any distro officially :)
Had a read over them already, but I'll make sure to reread CODE-STYLE |
|
Did a bit of digging and found this commit systemd/systemd@a3dff21 which seems to explain it quite nicely. |
|
Hmm reading the Still seems fine to transition with |
|
I think it'll be best to consider how SELinux aware we want dinit to be at this stage. After reading some more man pages and systemd code, it seems like systemd transitioning itself to the new context is an okay option as they already make heavy use of selinux throughout (i.e. in transient units which have an SELinuxContext= option). However, if our only goal (at least in the short-term) is to load the policy, then I think it makes sense to stick with the If we want to be a little bit more SELinux aware, (i.e. if it is not unforeseeable to make use of libselinux more throughout dinit), then I would probably start off by creating an selinux utils header of some point as there is quite a bit of setup, etc that'll need to be done. My personal opinion would be (for the sake of simplicity) to stick with the However, if you'd still like to continue with setting our own context, I can go down that route. It'd require a bit more design though, so it might be worth working on getting some helper functions stubbed out firstly. |
That's fine but it will need a commitment from you that you will support it going forward, or otherwise make it clear that it's experimental/unsupported in relevant documentation. (Incidentally I think you missed updating the build instructions - that's something that would need to be added). To be honest I'm not sure I'm following your reasoning in a few ways:
I don't really understand why that makes a difference. What is the reason why this would not be a good option for dinit as well? (I get that Dinit doesn't provide specific support for SELinux features when executing service processes, but why does that make a difference as to the mechanics of how the policy is loaded?) I'm fine with the policy loading happening very early in dinit's execution. But:
If we are going to call I know you had a few other questions for me and I can go back to those, but I really need some clarification on these points. I don't want to be discouraging but it seems like there are a few details you're not really sure of yourself, and that gives me some pause. I'm hesitant to incorporate something where I really don't understand why things have been done the way they have. If there's open questions that you need to sort out, please feel free to take whatever time you need to do that, but let's get them sorted first and talk details of the code then. |
|
Hey,
I can commit to that, but would also be happy mentioning it is experimental.
I think I phrased that badly earlier, I'll rephrase it a little here now. Systemd makes use of SELinux a lot inside it being quite SELinux aware so it already has a lot of boilerplate that will be used elsewhere. The reason why transitioning to the new context is a little more complex is because it requires a bit more setup, we are in a privileged domain at that point and we are sort of entrusting ourselves to do it right, so it'd require a fair amount more code I would think.
An initramfs can work fine for this (and often is!) or some simpler pid 1 that's only job is to launch dinit properly with the right context, but (at least to me) that feels a little unnecessary.
That's fair, I did phrase it quite badly above. My main reasoning was based off the
That makes sense. For now I'll just presume we're going down the route of transitioning ourselves to a new context and I'll push in a bit with an example of that and let you compare.
|
This, I guess, is what I don't understand. I can see that opening file descriptors before loading the policy might give access to things that the policy will then disallow but, if we are loading the policy quite early and we have opened file descriptors then in fact we do need those file descriptors. If the policy disallowed that access then that would be a broken policy anyway. Dinit doesn't go around just casually opening files. Likewise any other resource it has accessed, it probably needs. And anyway, as far as I can tell, applying the security label will enforce access against file descriptors that were opened previously anyway. Eg from https://www.systutorials.com/docs/linux/man/3-setcon_raw/ -
Given those are taken care of (and ptrace shouldn't be an issue anyway), and given that we'd be loading the policy early (before doing just about anything anyway), what would be the concerns in regards to "entrusting ourselves to do it right?" I'm after concrete examples.
To me it feels unnecessary to me add specific support (including a library dependency) for something in Dinit which can be handled just as well from outside, and re-executing our own process right after we start honestly just feels like a hack. At the moment my position on that is a "no", I would need to be given a good, concrete reason for why that should change. Applying the security context within the already-running process without re-
A little bit more code isn't an issue, if we have already gone as far as adding a dependency and providing support for SELinux then we may as well do it properly. My bad for the "keep it simple" comment which caused confusion - I meant, keep it restricted to the specific functionality that you are wanting to implement; we don't need abstraction layers for handling other security frameworks, etc. But before you said:
Is it a bit, or is it a fair amount? (or am I conflating two different things?) |
|
As for A good example is this. Imagine we start out with kernel context (what dinit starts out with on my system before the policy is loaded). We have some fd's opened, and the kernel context has permission to use them. Now we load the policy, transition ourselves, and the loaded policy executes us as init_t. In the Gentoo refpolicy, then that kernel context becomes kernel_t. Now SELinux will prevent us from using those open file descriptors.
Oh I see what you meant by keeping it simple now :) I was a bit confused with what you were after, but it shouldn't really require any sweeping changes for the codebase, it should all be confined to that function we'll make to load the policy, which will be the thing that's a bit longer. That's all good then, I can make the transition work. I'll get to work on that, and if there are any concerns please let me know. Thanks for all the time you've given this so far, appreciated a lot. |
WavyEbuilder
force-pushed
the
master
branch
2 times, most recently
from
5ddfc4d to
d5295d9
Compare
|
Alright I think I've got this working as desired now. I've just made a function If anything is unclear/you feel any comments are needed, please let me know, and I'll make sure to add them. |
|
(just updated an error message as i'm not longer using |
|
Just fixed another silly mistake, forgot to chance |
|
Could you remove the "Draft:" status if it's ready? I'll get to it when I can. A couple of things I noticed when looking quickly now:
Can I ask you to please go through our discussion and double-check you've addressed the things we did discuss. One other thing I noticed now:
Answers to some of your earlier questions:
You can squash commits but don't rebase onto any changes in master (if there are any), thanks.
No, just a command line option. |
|
Hi Davin, This message isn't a ping (intentionally) as I still am yet to write a bit more documentation, but a small status update. Just made a few commits. I've added a comment above the check for I've clarified a little more about the kernel context to be more accurate in the selinux_transition comment. I haven't updated that comment regarding the early return if For early returning true (and continuing the boot if
For early returning false (and halting the boot if
As for what systemd does, it continues the boot in permissive mode and logs a warning. The code for that can be seen here https://github.com/systemd/systemd/blob/main/src/core/selinux-setup.c#L90-L102. |
This doesn't seem like a decision that has any sort of major impact on the PR so: make a decision yourself, and justify it. From my point of view I want as little work to do, until the PR is ready, as possible. Thanks. (No need to give status updates either. Just take whatever time you need, finish the work, do it right, do it well). |
|
Hi Davin, Just thought I'd give a small update as it's been quite a while now. The current mechanism so far seems robust, however:
I'll be less active over Christmas so it'll be a few weeks before I push anything more, but I'll clean up the merge conflicts as well next. Just wanted to note that I haven't abandoned the PR. Thanks |
|
Hi, that's fine, but I have one major concern after just having looked over the current changes. There is some code that is currently part of the PR: Compared to some code that you pasted earlier, which turns out to be from Systemd: Obviously they are not completely identical, but just as obviously, at least the comment was taken from Systemd and then modified slightly for this PR. You cannot do that. All code and comments in the PR should be your own work (and if any isn't, this absolutely needs to be flagged when you raise the PR). This is true not just for Dinit but any project where you open a PR. The Systemd license is not compatible with the Dinit license, and we do not have the right to relicense code that is derived from Systemd code. I know this is only a small piece of code (assuming there is not more that is copied) but this is a major issue. This could cause massive headaches down the line if a Systemd developer discovered that code, and realised where it originated from. They might insist that the code be removed, or in the worst case I could end up in some legal entanglement. You will need to re-do any code that you copied from Systemd or anywhere else. I'm afraid you will need to find your own wording for the comments. It is honestly better to not even look at the Systemd code. And since this has come up, I'm going to have to get you to confirm again once this is ready whether the PR is your own work. |
|
Thanks for the heads up - I didn't think that'd be copyrightable/was fairly trivial, got it now and noted for the future. I gave a cursory glance over at the changes so far, everything outside of https://github.com/davmac314/dinit/pull/400/files#diff-478d55d4071495e39c6c94175bef40d012ddcbcd6c35fb57766263e2cf690bfdR493-R495 https://github.com/davmac314/dinit/pull/400/files#diff-478d55d4071495e39c6c94175bef40d012ddcbcd6c35fb57766263e2cf690bfdR514-R518 https://github.com/davmac314/dinit/pull/400/files#diff-478d55d4071495e39c6c94175bef40d012ddcbcd6c35fb57766263e2cf690bfdR594-R601 Everything else there should be good as far as I can tell, I'll make sure to give it a look through again later.
I understand, all good.
I'll make sure to do that. Appears to just be that snippet
Noted for anything else I write.
All good. So far I think everything else looks fine, I'll recheck again later as well. |
|
Ok, thanks, I appreciate you taking this seriously.
While it is only a small piece of code, that doesn't mean it's not copyrightable. I'm not a lawyer so I don't claim to know for sure whether copyright would apply to the comment but I suspect it would (and I don't want to take the risk anyway). But also, if any code is based off someone else's work even in a small way, that should always be acknowledged (eg in a comment) - regardless of copyright, it's the right thing to do. In this case I'd rather simply not have either issue, i.e. have the code written from scratch. |
|
Hi Davin, Could I ask you to review the latest commit? I'm not really familiar with the ins and outs of copyright, and I'm unsure as to whether or not that commit addresses the issue. From your previous comment:
I have reworded the comment (let me know if that isn't reworded suitably), but I don't think the actual check made in this commit e06e054#diff-478d55d4071495e39c6c94175bef40d012ddcbcd6c35fb57766263e2cf690bfdR519 (the code, not the comment) is copyrightable as it is simply logic and not really related to systemd code at all. For clarity, I'm referring to Thanks |
|
I've decided it might just be best to do a cleanroom rewrite of that comment instead, so I did so in a blank text editor. For full transparency, it's based off the wording of the This is located in the source of libselinux here: https://github.com/SELinuxProject/selinux/blob/main/libselinux/man/man3/getcon.3#L147-L150 Looking at the license of libselinux: https://github.com/SELinuxProject/selinux/blob/main/libselinux/LICENSE It appears to be public domain software, which as far as I can tell means it should be okay to quote. I deemed that a comment giving acknowledgement to the NSA or the SELinux Project was unnecessary for this, as it is the manpage of the function I'm calling. However, let me know if you'd like me to add one, I'd be more than happy to do so |
|
I think you need to use your judgement (taking in to account what I've already said). These things aren't always black and white and I don't really want to be pulled in to make a judgement on every thing that comes up. Please get the PR to the state where you are satisfied with it and ask for review only at that stage (remember to self-review first). Quick couple of points now since I have been drawn in to look at it:
Once again, please complete the PR before asking for review. |
|
Btw:
Quoting would certainly be fine (even verbatim) and in that case then it is absolutely a good idea to say where the quote comes from. What I said before was:
That does not say that necessarily "you must acknowledge the specific authors of the work", but rather "you must acknowledge that the code is based off someone else's work". Something like "as stated in the man page for ..." would do that. I think if you are quoting info from a man page then acknowledging that is not only a good thing to do, it is genuinely useful. |
|
Thanks for all your clarifications, I appreciate it. Just wanted to err on the side of caution as (understandably) copyright is a sensitive topic. Think I've got it now. I'll continue on with the PR with self-review until it is ready for review (i.e. mergeable should no other issues come up). |
|
Hi Davin, I'm ready for review again. I've gone over CODE-STYLE and CONTRIBUTION again and everything should be sorted. I've also created a One potential gripe off the bat may be with the manpages - I read the Thanks |
|
I will try to get to this soon.
Just try to keep to approximately the same length as surrounding lines and I would be happy. I think most are wrapped at around 100 from memory and that's probably the right thing to aim for (i.e. same rules as source code - wrap at 100, extend up to 110 if wrapping at 100 is awkward for some reason). I did have a very quick look and you're not following the guide in the README, example: Specifically:
The example I quoted above has one complete sentence on one line and continues another on the same line, so the first sentence doesn't end at the end of a line. |
There was a problem hiding this comment.
I have made a lot of comments but most are minor.
There are two issues which really stand out:
- error messages aren't always appropriate logged via the logging subsystem (that might need a little work to handle - I think it will be fine to log messages before the logging is initialised and that it will just cause the message to be buffered, but possibly log iniitalisation then needs to check whether buffered content exists and attempt to output it).
- the "/proc" directory is created, this is a big No.
doc/linux/SELINUX.md
Outdated
|
|
||
| Dinit has support for basic SELinux awareness. This document is intended to | ||
| outline the extent and inner workings of dinit's SELinux awareness. The reader | ||
| is assumed to be knowledgeable about the basics of SELinux and dinit. |
There was a problem hiding this comment.
Where is suitable information/documentation about SELinux available?
There was a problem hiding this comment.
I have linked to it in 0f114a6, and I haven't wrapped the raw line at 100 characters as to me that seems unnatural for rendered markdown (which still wraps at 100 here), however I'm happy to change that if you wish
|
Thanks! I'll work on this today and tomorrow. |
|
Just a heads up: I've found an annoying bug while testing for some of the I have deleted the policy file from This machine with that policy file will boot and transition correctly to the correct context, which indicates Because of https://github.com/SELinuxProject/selinux/blob/main/libselinux/src/load_policy.c#L243-L262 and https://github.com/SELinuxProject/selinux/blob/main/libselinux/src/load_policy.c#L299-L310, it shouldn't result in So something is evidently wrong. I've addressed the majority of the small nits above for now and I'll work on this before doing anything else further Update:After applying this patch: diff --git a/src/dinit.cc b/src/dinit.cc
index a1afbfa..937cb75 100644
--- a/src/dinit.cc
+++ b/src/dinit.cc
@@ -522,6 +522,17 @@ static bool selinux_transition(const char *exe)
// /etc/selinux/config, selinux_init_load_policy(3) will handle all cases for us.
if (selinux_init_load_policy(&enforce) != 0) {
cerr << "Failed to load SELinux policy." << endl;
+ cerr << "[DEBUG] " << strerror(errno) << endl;
+
+ std::ifstream cmdline("/proc/cmdline");
+ if (!cmdline) {
+ cerr << "[DEBUG] can't open /proc/cmdline for reading" << endl;
+ return false;
+ }
+ std::string buf;
+ std::getline(cmdline, buf);
+ cerr << "[DEBUG] /proc/cmdline: " << buf << endl;
+
return false;
}I have come across something quite interesting: So I am confident that at that point int enforce = 0;
// We don't need to worry about the enforcing=0 kernel cmdline option or parsing
// /etc/selinux/config, selinux_init_load_policy(3) will handle all cases for us.
if (selinux_init_load_policy(&enforce) != 0) {
// more stuff here
}This makes this not a bug, however it makes my previous decision to continue to fail if we can't launch in permissive mode make less sense - I would argue that from a usability perspective while I'm not a fan of the system being in an invalid state if we can't load the policy, we should respect this, as seen in this situation without a policy file itself as this is a valid path where disabling SELinux itself is desirable via the cmdline arg. Previously you left this tradeoff to my discretion, and in light of this I've updated the code to not fail if not requested to launch in enforcing mode. I hope the logic above for making this change makes sense (a more detailed explanation is given in the commit message), I'm happy to provide further explanation if anything seems unclear or off. |
|
Hi Davin, I'd like to request a review again. I think I've basically done everything needed to get the logging system working as intended. I've been testing with qemu and serial console to check the output of the log for booting, as well as using and testing the log_file option. From the dinit log file (via the log file option): So as far as I can tell both logically and with practical tests things should all be working :) Thanks again! |
There was a problem hiding this comment.
This has made progress but for documentation the focus should be on being clear and helpful to the user. I have pointed out some things that I think should be changed.
There are a couple of other comments to address also.
Finally, can you please squash the commits into one or two (or a few more if that really makes sense), with appropriate commit messages.
src/dinit.cc
Outdated
|
|
||
| int enforce = 0; | ||
| // We don't need to worry about the enforcing=0 kernel cmdline option or parsing | ||
| // /etc/selinux/config, selinux_init_load_policy(3) will handle all cases for us. |
There was a problem hiding this comment.
Can you elaborate, i.e. how will selinux_init_load_policy handle enforcing=0.
Comments should answer questions not raise them :)
doc/linux/SELINUX.md
Outdated
| be PID1 in this senario, this can be done by appending the flag to the kernel cmdline. | ||
|
|
||
| If not already mounted in earlier boot (e.g. by an initramfs), dinit will mount `/sys`, | ||
| and selinuxfs (typically `/sys/fs/selinux`) during the call to `selinux_init_load_policy(3)`. |
There was a problem hiding this comment.
This is too specific to implementation details. How should the user know when/if selinux_init_load_policy is called? What is this telling them? What do they need to know instead? (eg. that it happens before any services are started).
There was a problem hiding this comment.
Should be sorted, let me know if the updated documentation is okay
This commit adds support for loading the system SELinux policy when dinit is running as the system manager. A new option has been added to not load the SELinux policy, --disable-selinux-policy. SELinux support is only available on Linux platforms, and is gatekept behind an SELinux enabled build configuration. Signed-off-by: Rahul Sandhu <[email protected]>
|
Hmm, I see you've re-based onto current master. Please don't do that until ready for final merge (i.e. once the PR has basically been approved). Now I can't compare the changes between the previous incarnation of the PR and the current incarnation. |
There was a problem hiding this comment.
Some more comments.
Please take care to address the specific comments, but also re-review your own PR to make sure there aren't other changes that should apply in more than one place. Also check correctness of documentation and check terminology used in new documentation for consistency with existing documentation.
| @@ -298,6 +302,16 @@ There are several ways to work around this. | |||
| Service names following the \fB\-\-container\fR (\fB\-o\fR) or \fB\-\-system\-mgr\fR (\fB\-m\fR) options are not ignored. | |||
| Also, the \fB\-\-service\fR (\fB\-t\fR) option can be used to force a service name to be recognised regardless of operating mode. | |||
| .\" | |||
| .SH SELINUX SUPPORT | |||
| .LP | |||
| When running as PID 1 on a SELinux enabled machine, \fBdinit\fR will by default load the system's SELinux policy. | |||
There was a problem hiding this comment.
When I look at the code, it looks to me like the SELinux policy will be loaded if dinit is running as system manager and system init, but this says "when running as PID 1"? (I already pointed out a similar issue in the previous review; you should address all cases).
Isn't it the case that this happens only if Dinit has been built with SELinux support enabled?
What happens in case of various failures? Eg failure to load the policy.
| .SH SELINUX SUPPORT | ||
| .LP | ||
| When running as PID 1 on a SELinux enabled machine, \fBdinit\fR will by default load the system's SELinux policy. | ||
| This behaviour can be disabled by passing the \fB\-\-disable\-selinux\-policy\fR option to dinit. |
There was a problem hiding this comment.
You don't really need to mention this, that option is already documented (also "dinit" lacks formatting).
| When loading the SELinux policy, dinit will automatically mount a few special filesystems needed to successfully load the policy. | ||
| \fBsysfs\fR will be mounted at \fB/sys\fR, and \fBselinuxfs\fR will be mounted at \fB/sys/fs/selinux\fR. | ||
| \fBdinit\fR will not unmount either. | ||
| \fBprocfs\fR will also be mounted at \fB/proc\fR, but \fBdinit\fR will unmount it after loading the SELinux policy. |
There was a problem hiding this comment.
I find this whole section problematic. First, other than /proc, it's not really dinit that mounts the filesystems; that happens inside the SELinux library and is prone to change if the library does, so I would prefer that the documentation doesn't claim that dinit does this itself but instead makes it clear that the SELinux framework may mount filesystems (and specify /sys/ etc as examples).
If you're going to mention /proc being temporarily mounted (and I guess that it's probably a good idea to mention it) then at least be clear on the significance of this. Rather than talk about when it's mounted and unmounted just say that it is temporarily mounted in order to load the policy, that's much more concise and less confusing. But also, point out that the /proc directory must exist for this to be successful, and that the temporary mount will overmount any previously-mounted /proc until the temporary mount is removed (I guess you perhaps didn't realise this), and what the likely outcome of being unable to mount /proc will be.
| @@ -6,6 +6,7 @@ | |||
| #include <cstddef> | |||
| #include <cstdlib> | |||
|
|
|||
| #include <sys/mount.h> | |||
There was a problem hiding this comment.
This isn't a header specified by POSIX, we cannot rely on it being unconditionally available.
| mentioned in this document. | ||
|
|
||
| ## Loading the system SELinux policy | ||
| When booted as the system init system, dinit by default will attempt to load the |
There was a problem hiding this comment.
"system init system" sounds weird. Say "system init" just as we do elsewhere.
| When booted as the system init system, dinit by default will attempt to load the | ||
| system's SELinux policy and transition itself to a context specified by that policy | ||
| if not already done so in earlier boot (e.g. by an initramfs). This behaviour may be | ||
| disabled by passing dinit the `--disable-selinux-policy` flag. |
There was a problem hiding this comment.
"flag" -> command-line argument.
| If not already mounted in earlier boot (e.g. by an initramfs), dinit will mount `/sys`, | ||
| and selinuxfs (typically `/sys/fs/selinux`). This occurs before any services are started, | ||
| as loading the SELinux policy is the first thing dinit does. |
There was a problem hiding this comment.
See comments elsewhere about assigning responsibility for these actions.
It seems odd to mention this here but not also mention the temporary mounting of /proc, especially as it appears in the chart below.
| // This function will attempt to mount /sys and /proc unconditionally, but will not bail if it | ||
| // fail to do so. /sys will remain mounted after returning, and it is possible for /sys to still | ||
| // remain mounted despite returning false. This function will attempt to unmount /proc if it was | ||
| // responsible for mounting it, but lazily unmounts it using MNT_DETACH so while /proc will be | ||
| // unavailable for new accesses, it is not guarenteed to be unmounted. |
There was a problem hiding this comment.
Make clear where the responsibility for mounting /sys lies (and why does this mention only /sys and not /sys/fs/selinux?)
What is the point of the lazy unmount using MNT_DETACH? (either explain why it's necessary to do it that way, or don't do it that way).
My apologies - would you like me to keep making commits like before and then to squash them? |
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Signed-off-by: Rahul Sandhu <[email protected]>
Yes, just as I said earlier:
Note that I requested even then that you don't rebase onto master. It is trivial to see diffs between successive versions of the PR changes even if you squash the commits. It becomes difficult when you also rebase onto master. |
Implements #399 . Currently a draft PR for some of the reasons noted in that issue. Another thing to add:
fprintfif the SELinux policy fails to load (as/dev/consoleis likely unable to be accessed at that point). Would you preferstd::coutto be used for now in this case?