'Re: [smf-discuss] smf manifest questions for a new daemon'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensolaris-smf-discuss
Subject:    Re: [smf-discuss] smf manifest questions for a new daemon
From:       Michael Corcoran <Michael.Corcoran () Sun ! COM>
Date:       2009-11-24 20:25:27
Message-ID: E0E67711-5CB7-4C0E-A50E-185673BD5AEF () Sun ! COM
[Download RAW message or body]

Hi Tony and others,

I've attached the latest versions with the auths and method context.   
One question I do have is about updating prof_attr.  Are there any  
rules surrounding how to update this file?  Currently I've added  
solaris.sfm.manage.acpihpd to the "Maintenance and Repair" profile  
since it makes sense there but I could also create a separate profile  
just for this daemon and then also include it in "Maintenance and  
Repair".  It seems odd to make a profile just for this one daemon.

I'd appreciate it if you could take a look.


["acpihpd.xml;" (application/xml)]

Thanks,

Mike

On Nov 22, 2009, at 10:21 PM, Tony Nguyen wrote:

> Mike,
> 
> I had a look but the manifest contains neither the recommended  
> authorization properties nor method context. I'd be happy to review  
> once the team figure out the security model and implement the  
> authorization properties and method context.
> 
> -tony
> 
> Michael Corcoran wrote:
> > Tony,
> > 
> > I did include the manifest in my last email :)  \
> > http://opensolaris.org/jive/thread.jspa?threadID=118317&tstart=0  is the thread \
> > on opensolaris.org. 
> > --Mike
> > 
> > On Nov 20, 2009, at 5:07 PM, Tony Nguyen wrote:
> > 
> > > Michael Corcoran wrote:
> > > > Thanks for the help Alan, comments inline below.
> > > > --Mike
> > > > On Nov 20, 2009, at 1:52 AM, Alan Maguire wrote:
> > > > > hi Mike
> > > > > 
> > > > > Michael E. Corcoran wrote:
> > > > > > Hi All,
> > > > > > 
> > > > > > I'm working on a project where we have a new daemon that we  
> > > > > > want controlled by smf to support a specific hardware feature  
> > > > > > for a given platform.  What we'd like would be to have this  
> > > > > > daemon start automatically and thus have it enabled by default,  
> > > > > > but this goes against the info at \
> > > > > > http://hub.opensolaris.org/bin/view/Community+Group+arc/SMF-policy 
> > > > > > "Services must be delivered (by manifest or programatically)  
> > > > > > disabled by default to align with Sun's security goals.  
> > > > > > Projects impacted by Appendix C, must consult with the ARC to  
> > > > > > determine if this aspect of the policy is applicable."
> > > > > > 
> > > > > > 
> > > > > The usual approach here is to have the service disabled by  
> > > > > default in
> > > > > the manifest but to specify that it is to be enabled in one of  
> > > > > the profiles
> > > > > specified in /var/svc/profile.
> > > > Great.  this makes sense.
> > > > > These consist of customizations that are
> > > > > activated in particular scenarios. You'd want to add
> > > > > 
> > > > > <service name='mysvc' version='1' type='service'>
> > > > > <instance name='default' enabled='true'/>
> > > > > </service>
> > > > > 
> > > > > The question is which profile to add this to - there are  
> > > > > platform-specific
> > > > > profiles already, see usr/src/cmd/svc/profile in the ON gate for
> > > > > examples. You probably want to add it to one of these.
> > > > So how do these profiles get activated on a specific machine?  It  
> > > > looks like we'll have to make a platform_i86pc.xml since none  
> > > > currently exists.
> > > 
> > > On every boot, system/manifest-import applies a couple of system  
> > > profiles, platform is one of these profiles. For specifics, see  
> > > section 3 of /lib/svc/method/manifest-import. For x86 machines,  
> > > the current platform profile is a symlink to platform_none.xml  
> > > thus a new platform_i86pc.xml for x86 machine is reasonable.
> > > 
> > > > > 
> > > > > > Our plan was to have it enabled by default on all x86 platforms  
> > > > > > and then have it exit and disable itself if it determines that  
> > > > > > hardware does not support this specific feature.  So I'm  
> > > > > > assuming we need to go to PSARC to figure out if this approach  
> > > > > > is acceptable or is there a different ARC we'd be going to?
> > > > > > 
> > > > > > 
> > > > > > I'm also unclear about
> > > > > > "Services must include an appropriate RBAC profile and set of  
> > > > > > authorizations for manipulating the service and its specific  
> > > > > > configuration."
> > > > > > 
> > > > > > If our service has no configuration, then I think we don't need  
> > > > > > the above.  Is that correct?
> > > > > > 
> > > > > > 
> > > > > There's two parts to this - manipulations of state and  
> > > > > manipulations
> > > > > of configuration. You'd probably want an solaris.smf.manage  
> > > > > profile
> > > > > which specifies auths needed to change state (i.e. to enable/ 
> > > > > disable).
> > > > > This is done by adding the following to the manifest:
> > > > > 
> > > > > <property_group name='general' type='framework'>
> > > > > <!-- to start stop my service -->
> > > > > <propval name='action_authorization' type='astring'
> > > > > value='solaris.smf.manage.mysvc' />
> > > > > <propval name='value_authorization' type='astring'
> > > > > value='solaris.smf.manage.mysvc' />
> > > > > </property_group>
> > > > Can you point me at an example of such a profile?  It's not clear  
> > > > to me what solaris.smf.manage.mysvc would look like.  I'm  
> > > > guessing that it's just adding info to /etc/security/prof_attr  
> > > > and /etc/security/exec_attr as described in the privilege  
> > > > debugging doc on opensolaris.org.
> > > 
> > > I believe you need to define a new auth in /etc/security/auth_attr  
> > > and optionally associate that auth to a profile in /etc/security/ 
> > > prof_attr. The service manifest uses the new auth to declare the  
> > > service's required authorization. See /var/svc/manifest/network/ 
> > > smtp-sendmail.xml for example.
> > > 
> > > > Also, I'm assuming that I want this to be user daemon so how does  
> > > > that play into all of this?
> > > 
> > > See Method Context section under smf_method(5) on setting  
> > > privileges for the service daemon.
> > > 
> > > With respect to manifest reviewing, I'm sure one of us will have a  
> > > look    if you send to this alias :)
> > > 
> > > cheers,
> > > -tony
> > 
> 



_______________________________________________
smf-discuss mailing list
smf-discuss@opensolaris.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic