diff options
| author | Sangjung Woo <sangjung.woo@samsung.com> | 2015-09-23 20:41:52 +0900 |
|---|---|---|
| committer | Sangjung Woo <sangjung.woo@samsung.com> | 2015-09-23 20:41:52 +0900 |
| commit | 6bf6e43e7e214a4bd03008a91a7fc77ce6934d65 (patch) | |
| tree | 58592db7eccd4fd57476e206249a573f41f565f8 | |
| parent | dbb319464a91d2e4592bf5245bc8c08d09f43876 (diff) | |
exec: call setup_pam() after SMACK labeling
When 'SmackProcessLabel=' is used in user@.service file, all processes
launched in systemd user session should be labeled as the designated name
of 'SmackProcessLabel' directive. However, if systemd has its own smack
label using '--with-smack-run-label' configuration, '(sd-pam)' is
labeled as the specific name of '--with-smack-run-label'. If
'SmackProcessLabel=' is used in user@.service file without
'--with-smack-run-label' configuration, (sd-pam) is labeled as "_" since
systemd (i.e. pid=1) is labeled as "_".
This is mainly because setup_pam() function is called before applying
smack label to child process. This patch fixes it by calling setup_pam()
after setting the smack label.
| -rw-r--r-- | src/core/execute.c | 56 |
1 files changed, 29 insertions, 27 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 6e14848cd4..eef2dacc54 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1592,6 +1592,35 @@ static int exec_child( umask(context->umask); +#ifdef HAVE_SMACK + if (params->apply_permissions) { + if (context->smack_process_label) { + r = mac_smack_apply_pid(0, context->smack_process_label); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + } +#ifdef SMACK_DEFAULT_PROCESS_LABEL + else { + _cleanup_free_ char *exec_label = NULL; + + r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label); + if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + + r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + } + } +#endif +#endif + #ifdef HAVE_PAM if (params->apply_permissions && context->pam_name && username) { r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds); @@ -1729,33 +1758,6 @@ static int exec_child( } } -#ifdef HAVE_SMACK - if (context->smack_process_label) { - r = mac_smack_apply_pid(0, context->smack_process_label); - if (r < 0) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - } -#ifdef SMACK_DEFAULT_PROCESS_LABEL - else { - _cleanup_free_ char *exec_label = NULL; - - r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label); - if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - - r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); - if (r < 0) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - } -#endif -#endif - if (context->user) { r = enforce_user(context, uid); if (r < 0) { |