| Message ID | 20241205133233.1738092-1-fiona.klute@gmx.de (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [BlueZ] Leave config files writable for owner | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/BuildEll | success | Build ELL PASS |
| tedd_an/BluezMake | success | Bluez Make PASS |
| tedd_an/MakeCheck | success | Bluez Make Check PASS |
| tedd_an/MakeDistcheck | success | Make Distcheck PASS |
| tedd_an/CheckValgrind | success | Check Valgrind PASS |
| tedd_an/CheckSmatch | success | CheckSparse PASS |
| tedd_an/bluezmakeextell | success | Make External ELL PASS |
| tedd_an/ScanBuild | success | Scan Build PASS |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=914938 ---Test result--- Test Summary: CheckPatch PENDING 0.21 seconds GitLint PENDING 0.37 seconds BuildEll PASS 20.36 seconds BluezMake PASS 1575.41 seconds MakeCheck PASS 13.16 seconds MakeDistcheck PASS 157.64 seconds CheckValgrind PASS 212.99 seconds CheckSmatch PASS 270.97 seconds bluezmakeextell PASS 98.39 seconds IncrementalBuild PENDING 0.30 seconds ScanBuild PASS 835.62 seconds Details ############################## Test: CheckPatch - PENDING Desc: Run checkpatch.pl script Output: ############################## Test: GitLint - PENDING Desc: Run gitlint Output: ############################## Test: IncrementalBuild - PENDING Desc: Incremental build with the patches in the series Output: --- Regards, Linux Bluetooth
Hi Bastian, Emil, On Thu, Dec 5, 2024 at 8:35 AM Fiona Klute <fiona.klute@gmx.de> wrote: > > This is needed both so the owner can adjust config as needed, and for > distribution builds to be able to move/delete files as part of the > build without adjusting permissions themselves. Limiting writes from > the running service needs to be done in the systemd unit (already the > case) or init script. > > See also: https://lore.kernel.org/linux-bluetooth/4d1206df-598b-4a68-8655-74981b62ecca@gmx.de/T/ > --- > Makefile.am | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/Makefile.am b/Makefile.am > index 297d0774c..29018a91c 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth > statedir = $(localstatedir)/lib/bluetooth > > bluetoothd-fix-permissions: > - install -dm555 $(DESTDIR)$(confdir) > + install -dm755 $(DESTDIR)$(confdir) > install -dm700 $(DESTDIR)$(statedir) > > if DATAFILES > -- > 2.45.2 Any comments regarding these changes, shall we also use 0755 in the systemd service?
On Thu, 2024-12-05 at 10:00 -0500, Luiz Augusto von Dentz wrote: > Hi Bastian, Emil, > > On Thu, Dec 5, 2024 at 8:35 AM Fiona Klute <fiona.klute@gmx.de> > wrote: > > > > This is needed both so the owner can adjust config as needed, and > > for > > distribution builds to be able to move/delete files as part of the > > build without adjusting permissions themselves. Limiting writes > > from > > the running service needs to be done in the systemd unit (already > > the > > case) or init script. > > > > See also: > > https://lore.kernel.org/linux-bluetooth/4d1206df-598b-4a68-8655-74981b62ecca@gmx.de/T/ > > --- > > Makefile.am | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/Makefile.am b/Makefile.am > > index 297d0774c..29018a91c 100644 > > --- a/Makefile.am > > +++ b/Makefile.am > > @@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth > > statedir = $(localstatedir)/lib/bluetooth > > > > bluetoothd-fix-permissions: > > - install -dm555 $(DESTDIR)$(confdir) > > + install -dm755 $(DESTDIR)$(confdir) > > install -dm700 $(DESTDIR)$(statedir) > > > > if DATAFILES > > -- > > 2.45.2 > > Any comments regarding these changes, shall we also use 0755 in the > systemd service? That's fine, although the changes are really academic, as root/the owner can write and move those files just fine, even without explicit write permissions. The point made about the stopping the running daemon from writing to /etc is on point though, which could be fixed by something like: diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in index 8ebe89bec682..ddaa9d444eed 100644 --- a/src/bluetooth.service.in +++ b/src/bluetooth.service.in @@ -15,7 +15,7 @@ LimitNPROC=1 # Filesystem lockdown ProtectHome=true -ProtectSystem=strict +ProtectSystem=full PrivateTmp=true ProtectKernelTunables=true ProtectControlGroups=true See https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem= Cheers
Am 06.12.24 um 10:46 schrieb Bastien Nocera: > On Thu, 2024-12-05 at 10:00 -0500, Luiz Augusto von Dentz wrote: >> Hi Bastian, Emil, >> >> On Thu, Dec 5, 2024 at 8:35 AM Fiona Klute <fiona.klute@gmx.de> >> wrote: >>> >>> This is needed both so the owner can adjust config as needed, and >>> for >>> distribution builds to be able to move/delete files as part of the >>> build without adjusting permissions themselves. Limiting writes >>> from >>> the running service needs to be done in the systemd unit (already >>> the >>> case) or init script. >>> >>> See also: >>> https://lore.kernel.org/linux-bluetooth/4d1206df-598b-4a68-8655-74981b62ecca@gmx.de/T/ >>> --- >>> Makefile.am | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/Makefile.am b/Makefile.am >>> index 297d0774c..29018a91c 100644 >>> --- a/Makefile.am >>> +++ b/Makefile.am >>> @@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth >>> statedir = $(localstatedir)/lib/bluetooth >>> >>> bluetoothd-fix-permissions: >>> - install -dm555 $(DESTDIR)$(confdir) >>> + install -dm755 $(DESTDIR)$(confdir) >>> install -dm700 $(DESTDIR)$(statedir) >>> >>> if DATAFILES >>> -- >>> 2.45.2 >> >> Any comments regarding these changes, shall we also use 0755 in the >> systemd service? > > That's fine, although the changes are really academic, as root/the > owner can write and move those files just fine, even without explicit > write permissions. With chmod, yes. A build process that expects created directories to be writable for the user running the build fails. Sure, it'd be possible to add a workaround, but it's better to fix the issue at the source. > The point made about the stopping the running daemon from writing to > /etc is on point though, which could be fixed by something like: > diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in > index 8ebe89bec682..ddaa9d444eed 100644 > --- a/src/bluetooth.service.in > +++ b/src/bluetooth.service.in > @@ -15,7 +15,7 @@ LimitNPROC=1 > > # Filesystem lockdown > ProtectHome=true > -ProtectSystem=strict > +ProtectSystem=full > PrivateTmp=true > ProtectKernelTunables=true > ProtectControlGroups=true > > See > https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem= As I understand the documentation there "strict" implies "full": > If true, mounts the /usr/ and the boot loader directories (/boot > and /efi) read-only for processes invoked by this unit. If set to > "full", the /etc/ directory is mounted read-only, too. If set to > "strict" the entire file system hierarchy is mounted read-only, > except for the API file system subtrees /dev/, /proc/ and /sys/ > (protect these directories using PrivateDevices=, > ProtectKernelTunables=, ProtectControlGroups=). So switching from strict to full would actually weaken protection, though /etc should be read-only either way. Best regard, Fiona
On Fri, 2024-12-06 at 12:53 +0100, Fiona Klute wrote: > Am 06.12.24 um 10:46 schrieb Bastien Nocera: > > On Thu, 2024-12-05 at 10:00 -0500, Luiz Augusto von Dentz wrote: > > > Hi Bastian, Emil, > > > > > > On Thu, Dec 5, 2024 at 8:35 AM Fiona Klute <fiona.klute@gmx.de> > > > wrote: > > > > > > > > This is needed both so the owner can adjust config as needed, > > > > and > > > > for > > > > distribution builds to be able to move/delete files as part of > > > > the > > > > build without adjusting permissions themselves. Limiting writes > > > > from > > > > the running service needs to be done in the systemd unit > > > > (already > > > > the > > > > case) or init script. > > > > > > > > See also: > > > > https://lore.kernel.org/linux-bluetooth/4d1206df-598b-4a68-8655-74981b62ecca@gmx.de/T/ > > > > --- > > > > Makefile.am | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/Makefile.am b/Makefile.am > > > > index 297d0774c..29018a91c 100644 > > > > --- a/Makefile.am > > > > +++ b/Makefile.am > > > > @@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth > > > > statedir = $(localstatedir)/lib/bluetooth > > > > > > > > bluetoothd-fix-permissions: > > > > - install -dm555 $(DESTDIR)$(confdir) > > > > + install -dm755 $(DESTDIR)$(confdir) > > > > install -dm700 $(DESTDIR)$(statedir) > > > > > > > > if DATAFILES > > > > -- > > > > 2.45.2 > > > > > > Any comments regarding these changes, shall we also use 0755 in > > > the > > > systemd service? > > > > That's fine, although the changes are really academic, as root/the > > owner can write and move those files just fine, even without > > explicit > > write permissions. > > With chmod, yes. A build process that expects created directories to > be > writable for the user running the build fails. Sure, it'd be possible > to > add a workaround, but it's better to fix the issue at the source. Please mention in the commit message that this is to fix problems with build systems that run as non-root. > > The point made about the stopping the running daemon from writing > > to > > /etc is on point though, which could be fixed by something like: > > diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in > > index 8ebe89bec682..ddaa9d444eed 100644 > > --- a/src/bluetooth.service.in > > +++ b/src/bluetooth.service.in > > @@ -15,7 +15,7 @@ LimitNPROC=1 > > > > # Filesystem lockdown > > ProtectHome=true > > -ProtectSystem=strict > > +ProtectSystem=full > > PrivateTmp=true > > ProtectKernelTunables=true > > ProtectControlGroups=true > > > > See > > https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem= > As I understand the documentation there "strict" implies "full": > > > If true, mounts the /usr/ and the boot loader directories (/boot > > and /efi) read-only for processes invoked by this unit. If set to > > "full", the /etc/ directory is mounted read-only, too. If set to > > "strict" the entire file system hierarchy is mounted read-only, > > except for the API file system subtrees /dev/, /proc/ and /sys/ > > (protect these directories using PrivateDevices=, > > ProtectKernelTunables=, ProtectControlGroups=). > > So switching from strict to full would actually weaken protection, > though /etc should be read-only either way. Right, I had that backwards.
diff --git a/Makefile.am b/Makefile.am index 297d0774c..29018a91c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth statedir = $(localstatedir)/lib/bluetooth bluetoothd-fix-permissions: - install -dm555 $(DESTDIR)$(confdir) + install -dm755 $(DESTDIR)$(confdir) install -dm700 $(DESTDIR)$(statedir) if DATAFILES