Emmanuel Vadot wrote:
Hello all,After playing a little bit with secmodel, I've tried to authorized a user with a specific uid to reboot the system.It didn't work as I expected and the secmodel callback isn't called at all.After looking the code of reboot and talking about this with elad@, I see that two things just allow the root user to call /sbin/reboot :128 if (geteuid()) 129 errx(1, "%s", strerror(EPERM)); and 188 if (kill(1, SIGTSTP) == -1) 189 err(1, "SIGTSTP init");I think that the check of the uid can be removed since we trust the secmodel.
Right.
But for the signal SIGTSTP send to the init, I don't know, and honestly I don't know what init does catching this signal :)
That one's a bit tricky. The reboot program tries to "gracefully" reboot the system by doing some things it believes it's doing as root. Since at the moment the KAUTH_SYSTEM_REBOOT action applies only to the very reboot(2) syscall, it "breaks" somewhere in the middle when trying to stop init (and later on signal all other processes). While it may be possible to solve it with a lot of special casing, I wonder if we shouldn't just move a lot of that logic to the kernel, and add a RB_GRACEFUL to reboot(2), telling it "do all the things you used to do in userland". Is anyone seeing possible problems taking this route? any other ideas on how to address this? Thanks, -e.