[Pkg-sysvinit-devel] Bug#440709: Bug#440709: Bug#440709: initscripts: Please mount securityfs

Henrique de Moraes Holschuh hmh at debian.org
Thu Sep 6 23:02:18 UTC 2007

On Tue, 04 Sep 2007, Michael Holzt wrote:
> > 2.6.21 tpm driver doesn't seem to provide securityfs in a non-SE-Linux box.
> > Does it depend on anything else than just loading tpm?
> I can't tell. I just observed that the code in drivers/char/tpm/tpm_bios.c
> attempts to create some securityfs files in a exported function called
> tpm_bios_log_setup. This function seems to be called from tpm.c if a real
> tpm chip was found and setup by one of the tpm chipset drivers. So i guess 
> the files will only appear on a machine which contains a supported tpm 
> chip.

Like my T43, where I don't even have a securityfs in the kernel, no matter
what I do (and I do have a tpm, it is enabled, and the drivers are loaded).
I must search more for this thing, apparently... probably I need to change
some kconfig option.

> My point however: It really seems that securityfs is not specific to
> apparmor (it probably even predates apparmor) and might not be only 
> used by tpm chips but by other software (e.g. other security frameworks 
> like apparmor) as well, so it probably won't be the right solution to 
> have the mount call in the apparmor package. On the other hand it seems
> that /sys/kernel/security is present in all newer kernel versions, so 
> when using a generic mount it would get mounted on a lot of systems
> which don't use it. I'm not sure if this is a problem.
> I just don't know what would be the right solution, but maybe you do? :-)

We can just mount it.  It is like tmpfs, so we could just check if it is
available in /proc/filesystems, and if it is, mount it.  But *what* should
be the parameters for that mount command?

It should be umounted along with sysfs and procfs (i.e. last, or never).

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

More information about the Pkg-sysvinit-devel mailing list