From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <vt@altlinux.org>
Date: Wed, 6 Aug 2025 17:06:06 +0300
From: Vitaly Chikunov <vt@altlinux.org>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Message-ID: <7w3xdokeyyfvo3pa5ohukt3hch@altlinux.org>
References: <cover.1754485062.git.mcpain@altlinux.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <cover.1754485062.git.mcpain@altlinux.org>
Subject: Re: [d-kernel] [PATCH 0/2] Kiosk: turn off secureexec for allowed
 executables
X-BeenThere: devel-kernel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux kernel packages development
 <devel-kernel@lists.altlinux.org>
List-Id: ALT Linux kernel packages development
 <devel-kernel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel-kernel>
List-Post: <mailto:devel-kernel@lists.altlinux.org>
List-Help: <mailto:devel-kernel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2025 14:06:06 -0000
Archived-At: <http://lore.altlinux.org/devel-kernel/7w3xdokeyyfvo3pa5ohukt3hch@altlinux.org/>
List-Archive: <http://lore.altlinux.org/devel-kernel/>
List-Post: <mailto:devel-kernel@altlinux.org>

Oleg,

On Wed, Aug 06, 2025 at 04:18:21PM +0300, mcpain@altlinux.org wrote:
> From: Oleg Solovyov <mcpain@altlinux.org>
> 
> Modern desktop environments tends to become incompatible with kiosk.
> KDE works so far but systemd unit fails to launch [1]
> GNOME breaks fatally [2]
> 
> This happens because /lib/systemd/systemd uses secure_getenv() to get
> environment variables and receives NULL since secureexec is enforced by
> Kiosk LSM.
> 
> Since I am uncertain what else is to be replaced with getenv() in
> systemd and how much things it will break in future I chose to allow
> running those executables without setting up secureexec.

Не написано кто, планируется, что уберет secureexec флаг, это было бы
полезно знать для понимания замысла/контекста.

Thanks,


> 
> By default, secureexec is set unless explicitly told not to do so.
> 
> [1] https://bugzilla.altlinux.org/55130
> [2] https://bugzilla.altlinux.org/55518
> 
> Oleg Solovyov (2):
>   kiosk: split kiosk_nl_send_*
>   kiosk: add secureexec parameter
> 
>  security/kiosk/kiosk_lsm.c | 59 ++++++++++++++++++++++++++++++++++----
>  1 file changed, 54 insertions(+), 5 deletions(-)
> 
> -- 
> 2.50.1
> 
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel