summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSangjung Woo <sangjung.woo@samsung.com>2015-09-23 20:41:52 +0900
committerSangjung Woo <sangjung.woo@samsung.com>2015-09-23 20:41:52 +0900
commit6bf6e43e7e214a4bd03008a91a7fc77ce6934d65 (patch)
tree58592db7eccd4fd57476e206249a573f41f565f8
parentdbb319464a91d2e4592bf5245bc8c08d09f43876 (diff)
exec: call setup_pam() after SMACK labeling
When 'SmackProcessLabel=' is used in user@.service file, all processes launched in systemd user session should be labeled as the designated name of 'SmackProcessLabel' directive. However, if systemd has its own smack label using '--with-smack-run-label' configuration, '(sd-pam)' is labeled as the specific name of '--with-smack-run-label'. If 'SmackProcessLabel=' is used in user@.service file without '--with-smack-run-label' configuration, (sd-pam) is labeled as "_" since systemd (i.e. pid=1) is labeled as "_". This is mainly because setup_pam() function is called before applying smack label to child process. This patch fixes it by calling setup_pam() after setting the smack label.
-rw-r--r--src/core/execute.c56
1 files changed, 29 insertions, 27 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index 6e14848cd4..eef2dacc54 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1592,6 +1592,35 @@ static int exec_child(
umask(context->umask);
+#ifdef HAVE_SMACK
+ if (params->apply_permissions) {
+ if (context->smack_process_label) {
+ r = mac_smack_apply_pid(0, context->smack_process_label);
+ if (r < 0) {
+ *exit_status = EXIT_SMACK_PROCESS_LABEL;
+ return r;
+ }
+ }
+#ifdef SMACK_DEFAULT_PROCESS_LABEL
+ else {
+ _cleanup_free_ char *exec_label = NULL;
+
+ r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
+ if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
+ *exit_status = EXIT_SMACK_PROCESS_LABEL;
+ return r;
+ }
+
+ r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
+ if (r < 0) {
+ *exit_status = EXIT_SMACK_PROCESS_LABEL;
+ return r;
+ }
+ }
+ }
+#endif
+#endif
+
#ifdef HAVE_PAM
if (params->apply_permissions && context->pam_name && username) {
r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
@@ -1729,33 +1758,6 @@ static int exec_child(
}
}
-#ifdef HAVE_SMACK
- if (context->smack_process_label) {
- r = mac_smack_apply_pid(0, context->smack_process_label);
- if (r < 0) {
- *exit_status = EXIT_SMACK_PROCESS_LABEL;
- return r;
- }
- }
-#ifdef SMACK_DEFAULT_PROCESS_LABEL
- else {
- _cleanup_free_ char *exec_label = NULL;
-
- r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
- if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
- *exit_status = EXIT_SMACK_PROCESS_LABEL;
- return r;
- }
-
- r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
- if (r < 0) {
- *exit_status = EXIT_SMACK_PROCESS_LABEL;
- return r;
- }
- }
-#endif
-#endif
-
if (context->user) {
r = enforce_user(context, uid);
if (r < 0) {