我有一个二进制程序,每次启动时都会在 HOME 目录中创建一个空文件夹。我不喜欢这样并且想使用斯玛克机制来阻止它这样做。我的想法是用 tag 标记 HOME 目录HOME
,用 tag 标记程序进程NoWriteHome
,然后写三个 SMACK 规则:
$ sudo setfattr -n security.SMACK64 -v 'HOME' "/home/${USER}"
$ sudo setfattr -n security.SMACK64EXEC -v 'NoWriteHome' "${PATH_TO_EXECUTABLE}"
$ cat <<'EOF' | sudo tee /sys/fs/smackfs/load2
> _ HOME rwxat
> NoWriteHome _ rwxat
> NoWriteHome HOME r-x--
> EOF
我做了一个实验/usr/bin/bash
,效果符合预期:
$ cd
$ touch a
touch: cannot touch 'a': Permission denied
但是程序在加载动态库时启动失败:
$ (
> export QT_PLUGIN_PATH="/opt/Wolfram/WolframEngine/14.0/SystemFiles/Libraries/Linux-x86-64/Qt/plugins/"
> export LD_LIBRARY_PATH="/opt/Wolfram/WolframEngine/14.0/SystemFiles/Libraries/Linux-x86-64:/opt/Wolfram/WolframEngine/14.0/SystemFiles/Libraries/Linux-x86-64/Qt/lib"
> export PATH="/opt/Wolfram/WolframEngine/14.0/Executables:${PATH}"
> export ESPEAK_DATA="/opt/Wolfram/WolframEngine/14.0/SystemFiles/FrontEnd/SystemResources/X/espeak-data"
> /opt/Wolfram/WolframEngine/14.0/SystemFiles/FrontEnd/Binaries/Linux-x86-64/WolframPlayer -topDirectory /opt/Wolfram/WolframEngine/14.0
> )
/opt/Wolfram/WolframEngine/14.0/SystemFiles/FrontEnd/Binaries/Linux-x86-64/WolframPlayer: error while loading shared libraries: libML64i4.so: cannot open shared object file: No such file or directory
有谁知道为什么访问库文件被拒绝?我的 SMACK 规则有问题吗?