systemd/0003-journald-add-CAP_MAC_OVERRIDE-in-journald-for-SMACK-.patch

42 lines
1.8 KiB
Diff
Raw Normal View History

From f2a474aea8f82fa9b695515d4590f4f3398358a7 Mon Sep 17 00:00:00 2001
From: Juho Son <juho80.son@samsung.com>
Date: Thu, 11 Sep 2014 16:06:38 +0900
Subject: [PATCH] journald: add CAP_MAC_OVERRIDE in journald for SMACK issue
systemd-journald check the cgroup id to support rate limit option for
every messages. so journald should be available to access cgroup node in
each process send messages to journald.
In system using SMACK, cgroup node in proc is assigned execute label
as each process's execute label.
so if journald don't want to denied for every process, journald
should have all of access rule for all process's label.
It's too heavy. so we could give special smack label for journald te get
all accesses's permission.
'^' label.
When assign '^' execute smack label to systemd-journald,
systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack privilege.
so I want to notice this information and set default capability to
journald whether system use SMACK or not.
because that capability affect to only smack enabled kernel
---
units/systemd-journald.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git units/systemd-journald.service.in units/systemd-journald.service.in
index 7013979..4de38fa 100644
--- units/systemd-journald.service.in
+++ units/systemd-journald.service.in
@@ -20,7 +20,7 @@ Restart=always
RestartSec=0
NotifyAccess=all
StandardOutput=null
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
WatchdogSec=1min
# Increase the default a bit in order to allow many simultaneous
--
1.7.9.2