From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.1 From: mcpain@altlinux.org To: devel-kernel@lists.altlinux.org Date: Wed, 6 Aug 2025 16:18:21 +0300 Message-ID: X-Mailer: git-send-email 2.50.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [d-kernel] [PATCH 0/2] Kiosk: turn off secureexec for allowed executables X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2025 13:18:38 -0000 Archived-At: List-Archive: List-Post: From: Oleg Solovyov Modern desktop environments tends to become incompatible with kiosk. KDE works so far but systemd unit fails to launch [1] GNOME breaks fatally [2] This happens because /lib/systemd/systemd uses secure_getenv() to get environment variables and receives NULL since secureexec is enforced by Kiosk LSM. Since I am uncertain what else is to be replaced with getenv() in systemd and how much things it will break in future I chose to allow running those executables without setting up secureexec. By default, secureexec is set unless explicitly told not to do so. [1] https://bugzilla.altlinux.org/55130 [2] https://bugzilla.altlinux.org/55518 Oleg Solovyov (2): kiosk: split kiosk_nl_send_* kiosk: add secureexec parameter security/kiosk/kiosk_lsm.c | 59 ++++++++++++++++++++++++++++++++++---- 1 file changed, 54 insertions(+), 5 deletions(-) -- 2.50.1