diff options
| author | WaLyong Cho <walyong.cho@samsung.com> | 2015-07-28 02:55:35 +0900 |
|---|---|---|
| committer | WaLyong Cho <walyong.cho@samsung.com> | 2015-08-04 21:11:24 +0900 |
| commit | e419a0e31089994ecd1d9019c791e63d13b37584 (patch) | |
| tree | 1b7c5f8d789701d1e257b7b8b4ca1c9a3828b6ac | |
| parent | 5ab58c2091636209231fc3fd5bf97f21b77deb88 (diff) | |
core: set default process label only exec label is none
When command path has access label and no SmackProcessLabel= is not
set, default process label will be set. But if the default process
label has no rule for the access label of the command path then smack
access error will be occurred.
So, if the command path has execute label then the child have to set
its label to the same of execute label of command path instead of
default process label.
| -rw-r--r-- | src/core/execute.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 21721dc240..f14ae4d8a6 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1719,7 +1719,15 @@ static int exec_child( } #ifdef SMACK_DEFAULT_PROCESS_LABEL else { - r = mac_smack_apply_pid(0, SMACK_DEFAULT_PROCESS_LABEL); + _cleanup_free_ char *exec_label = NULL; + + r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label); + if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + + r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); if (r < 0) { *exit_status = EXIT_SMACK_PROCESS_LABEL; return r; |