642432 – sys-auth/elogind unnecessarily (or wrongly) checks for CONFIG_SECURITY_SMACK.

Bug 642432 - sys-auth/elogind unnecessarily (or wrongly) checks for CONFIG_SECURITY_SMACK.

Summary: sys-auth/elogind unnecessarily (or wrongly) checks for CONFIG_SECURITY_SMACK.

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Andreas Sturmlechner

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-12-27 19:57 UTC by Oleh
Modified:	2018-01-15 08:47 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oleh 2017-12-27 19:57:20 UTC

As in summary. Origin of this kernel configuration check is unknown and ebuild added into tree with this check set.
Neither upstream kernel recommends it enabled,nor Debian or Fedora has this kernel option enabled in their official kernel packages, yet logind in those distribution does not seem  relying on it (otherwise it had to  be enabled in their kernels). Proposal to drop this check.

Reproducible: Always

Comment 1 Oleh 2018-01-04 10:19:55 UTC

Also, --enable-smack configure option forced in ebuild and tied with kernel option check.

Comment 2 Michael Palimaka (kensington) gentoo-dev

2018-01-04 12:29:25 UTC

CCing upstream in hopes of insight

Comment 3 Sven Eden 2018-01-10 09:18:31 UTC

(In reply to Oleg from comment #1)
> Also, --enable-smack configure option forced in ebuild and tied with kernel
> option check.

This is a left-over from the first elogind ebuilds. We simply mirrored what the systemd README recommended, and enforcing SMACK was, in hindsight, a misunderstanding of what I found in the README and configure.ac (where SMACK support was the default)

elogind should work just fine with SMACK being disabled in the kernel.

Maybe the result of kernel option check can be used for the configuration? --enable-smack does not harm if SMACK is not enabled in the kernel, but those runtime checks could be avoided.

I am currently on the last step (make cgroups2 and cgroups1/2 hybrid support available in elogind, since openrc now supports both) before I'll release version 235.

The ebuilds need some reworking anyway, so I'll update the ebuilds once the release is out, and will take the SMACK enforcement out.

Comment 4 Sven Eden 2018-01-10 09:20:34 UTC

Sorry, hit the wrong status item.

@Andreas : Is it okay for you if I take this bug?

Comment 5 Larry the Git Cow gentoo-dev

2018-01-10 10:00:39 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4821b9f6890467eb02a6e28c5619279b8f026e4f

commit 4821b9f6890467eb02a6e28c5619279b8f026e4f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-01-10 09:57:48 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-01-10 10:00:18 +0000

    sys-auth/elogind: Drop bogus SECURITY_SMACK check
    
    Closes: https://bugs.gentoo.org/642432
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 sys-auth/elogind/elogind-234.4-r1.ebuild | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Comment 6 Oleh 2018-01-14 16:27:28 UTC

ebuild still has --enable-smack configure option enabled unconditionally.

Comment 7 Sven Eden 2018-01-15 08:47:24 UTC

(In reply to Oleg from comment #6)
> ebuild still has --enable-smack configure option enabled unconditionally.

Yes, I noticed. But it is no problem.

If SMACK operations are not supported, the result would be EOPNOTSUPP, which is ignored at the relevant places.

However, an activation of this option only when it supported, *would* strip off a tiny bit of overhead.
I definitely have it on my todo list for the next version.