tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: /sbin/reboot and secmodel

Emmanuel Vadot wrote:
Hello all,

After playing a little bit with secmodel, I've tried to authorized a user with a specific uid to reboot the system.
It didn't work as I expected and the secmodel callback isn't called at all.
After looking the code of reboot and talking about this with elad@, I see that two things just allow the root user to call /sbin/reboot :

  128          if (geteuid())
  129                  errx(1, "%s", strerror(EPERM));


  188          if (kill(1, SIGTSTP) == -1)
  189                  err(1, "SIGTSTP init");

I think that the check of the uid can be removed since we trust the secmodel.


But for the signal SIGTSTP send to the init, I don't know, and honestly I don't know what init does catching this signal :)

That one's a bit tricky. The reboot program tries to "gracefully" reboot
the system by doing some things it believes it's doing as root. Since at
the moment the KAUTH_SYSTEM_REBOOT action applies only to the very
reboot(2) syscall, it "breaks" somewhere in the middle when trying to
stop init (and later on signal all other processes).

While it may be possible to solve it with a lot of special casing, I
wonder if we shouldn't just move a lot of that logic to the kernel, and
add a RB_GRACEFUL to reboot(2), telling it "do all the things you used
to do in userland".

Is anyone seeing possible problems taking this route? any other ideas on
how to address this?



Home | Main Index | Thread Index | Old Index