From shawn at churchofgit.com Wed Nov 20 05:41:11 2013 From: shawn at churchofgit.com (Shawn Landden) Date: Tue, 19 Nov 2013 12:41:11 -0800 Subject: [tomoyo-dev-en 365] [PATCH 2/2] init_policy: add Debian multi-arch lib directories to make_ldconfig_readable_files() In-Reply-To: <1384893671-8168-1-git-send-email-shawn@churchofgit.com> References: <1384893671-8168-1-git-send-email-shawn@churchofgit.com> Message-ID: <1384893671-8168-2-git-send-email-shawn@churchofgit.com> List of multi-arch tuples here: https://wiki.debian.org/Multiarch/Tuples --- usr_lib_tomoyo/init_policy.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/usr_lib_tomoyo/init_policy.c b/usr_lib_tomoyo/init_policy.c index e2fd29a..c0ec4b0 100644 --- a/usr_lib_tomoyo/init_policy.c +++ b/usr_lib_tomoyo/init_policy.c @@ -460,6 +460,22 @@ static void make_ldconfig_readable_files(void) "/usr/lib/tls/i686/", "/usr/lib/tls/i686/cmov/", "/usr/lib/sse2/", "/usr/X11R6/lib/", "/usr/lib32/", "/usr/lib64/", "/lib64/", "/lib64/tls/", + "/usr/lib/x86_64-linux-gnu/", "/lib/x86_64-linux-gnu/", + "/usr/lib/i386-linux-gnu/", "/lib/i386-linux-gnu/", + "/usr/lib/arm-linux-gnueabihf/", "/lib/arm-linux-gnueabihf/", + "/usr/lib/arm-linux-gnueabi/", "/lib/arm-linux-gnueabi/", + "/usr/lib/aarch64-linux-gnu/", "/lib/aarch64-linux-gnu/", + "/usr/lib/ia64-linux-gnu/", "/lib/ia64-linux-gnu/", + "/usr/lib/mips-linux-gnu/", "/lib/mips-linux-gnu/", + "/usr/lib/mipsel-linux-gnu/", "/lib/mipsel-linux-gnu/", + "/usr/lib/powerpc-linux-gnu/", "/lib/powerpc-linux-gnu/", + "/usr/lib/ppc64-linux-gnu/", "/lib/ppc64-linux-gnu/", + "/usr/lib/s390-linux-gnu/", "/lib/s390-linux-gnu/", + "/usr/lib/s390x-linux-gnu/", "/lib/s390x-linux-gnu/", + "/usr/lib/sh4-linux-gnu/", "/lib/sh4-linux-gnu/", + "/usr/lib/sparc-linux-gnu/", "/lib/sparc-linux-gnu/", + "/usr/lib/sparc64-linux-gnu/", "/lib/sparc64-linux-gnu/", + "/usr/lib/x86_64-linux-gnux32/", "/lib/x86_64-linux-gnux32/", }; int i; FILE *fp = !access("/sbin/ldconfig", X_OK) || -- 1.8.4.3 From shawn at churchofgit.com Wed Nov 20 05:41:10 2013 From: shawn at churchofgit.com (Shawn Landden) Date: Tue, 19 Nov 2013 12:41:10 -0800 Subject: [tomoyo-dev-en 366] [PATCH 1/2] init_policy: drop unneeded exceptions when systemd installed Message-ID: <1384893671-8168-1-git-send-email-shawn@churchofgit.com> Systemd makes execution much more orderly. It directly executes all services, making all the initilize_domain directives, except the other kernel entry points of modprobe and hotplug, here unneeded. Systemd's sysvinit compat also renders the sysvinit aggregators unneeded, as it always executes the /etc/init.d/* version. --- usr_lib_tomoyo/init_policy.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/usr_lib_tomoyo/init_policy.c b/usr_lib_tomoyo/init_policy.c index 5830613..e2fd29a 100644 --- a/usr_lib_tomoyo/init_policy.c +++ b/usr_lib_tomoyo/init_policy.c @@ -811,9 +811,11 @@ static void make_exception_policy(void) make_readdir(); make_getattr(); scan_modprobe_and_hotplug(); - make_init_dir_as_initializers(); - make_initializers(); - make_init_scripts_as_aggregators(); + if (access("/lib/systemd/systemd", X_OK) != 0) { + make_init_dir_as_initializers(); + make_initializers(); + make_init_scripts_as_aggregators(); + } /* Some applications do execve("/proc/self/exe"). */ fprintf(filp, "aggregator proc:/self/exe /proc/self/exe\n"); close_file(filp, chdir_policy(), "exception_policy.tmp", -- 1.8.4.3 From shawn at churchofgit.com Wed Nov 20 06:14:07 2013 From: shawn at churchofgit.com (Shawn Landden) Date: Tue, 19 Nov 2013 13:14:07 -0800 Subject: [tomoyo-dev-en 366] [PATCH] init_policy: do not let 'systemctl daemon-reexec' confuse tomoyo Message-ID: <1384895647-9716-1-git-send-email-shawn@churchofgit.com> --- usr_lib_tomoyo/init_policy.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/usr_lib_tomoyo/init_policy.c b/usr_lib_tomoyo/init_policy.c index c0ec4b0..92fd921 100644 --- a/usr_lib_tomoyo/init_policy.c +++ b/usr_lib_tomoyo/init_policy.c @@ -306,6 +306,18 @@ static void scan_init_scripts(void) } /** + * make_systemd_exceptions - Exceptions specific to systemd + * + * Returns nothing. + */ +static void make_systemd_exceptions(void) +{ + /* when systemd restarts with a new version, it bypasses the symlink */ + fprintf(filp, "aggregator /lib/systemd/systemd /sbin/init\n" + "aggregator /usr/lib/systemd/systemd /sbin/init\n"); +} + +/** * make_init_scripts_as_aggregators - Use realpath for startup/shutdown scripts in /etc/ directory. * * Returns nothing. @@ -831,7 +843,8 @@ static void make_exception_policy(void) make_init_dir_as_initializers(); make_initializers(); make_init_scripts_as_aggregators(); - } + } else + make_systemd_exceptions(); /* Some applications do execve("/proc/self/exe"). */ fprintf(filp, "aggregator proc:/self/exe /proc/self/exe\n"); close_file(filp, chdir_policy(), "exception_policy.tmp", -- 1.8.4.3 From shawn at churchofgit.com Wed Nov 20 06:21:35 2013 From: shawn at churchofgit.com (Shawn Landden) Date: Tue, 19 Nov 2013 13:21:35 -0800 Subject: [tomoyo-dev-en 367] [PATCH] init_policy: do not let 'systemctl daemon-reexec' confuse tomoyo Message-ID: <1384896095-9854-1-git-send-email-shawn@churchofgit.com> v2: correct exception --- usr_lib_tomoyo/init_policy.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/usr_lib_tomoyo/init_policy.c b/usr_lib_tomoyo/init_policy.c index c0ec4b0..ef61a20 100644 --- a/usr_lib_tomoyo/init_policy.c +++ b/usr_lib_tomoyo/init_policy.c @@ -306,6 +306,18 @@ static void scan_init_scripts(void) } /** + * make_systemd_exceptions - Exceptions specific to systemd + * + * Returns nothing. + */ +static void make_systemd_exceptions(void) +{ + /* allow systemd to re-execute itsself */ + fprintf(filp, "keep_domain /lib/systemd/systemd from /sbin/init\n" + "keep_domain /usr/lib/systemd/systemd from /sbin/init\n"); +} + +/** * make_init_scripts_as_aggregators - Use realpath for startup/shutdown scripts in /etc/ directory. * * Returns nothing. @@ -831,7 +843,8 @@ static void make_exception_policy(void) make_init_dir_as_initializers(); make_initializers(); make_init_scripts_as_aggregators(); - } + } else + make_systemd_exceptions(); /* Some applications do execve("/proc/self/exe"). */ fprintf(filp, "aggregator proc:/self/exe /proc/self/exe\n"); close_file(filp, chdir_policy(), "exception_policy.tmp", -- 1.8.4.3