diff options
| author | WaLyong Cho <walyong.cho@samsung.com> | 2015-06-08 19:41:01 +0900 |
|---|---|---|
| committer | WaLyong Cho <walyong.cho@samsung.com> | 2015-06-22 23:44:09 +0900 |
| commit | e174dce27173396ed8034c9cfda87eb210365126 (patch) | |
| tree | c9fe8b256c739a5e88866396f3a0132e90f3a7b6 | |
| parent | 6656aefb42385b468dd96867118d049f945cbf81 (diff) | |
smack: add default smack process label config
Similar to SmackProcessLabel=, if this configuration is set, systemd
executes processes with given SMACK label. If unit has
SmackProcessLabel=, this config is overwritten.
But, do NOT be confused with SMACK64EXEC of execute file. This default
execute process label(and also label which is set by
SmackProcessLabel=) is set fork-ed process SMACK subject label and
used to access the execute file.
If the execution file has also SMACK64EXEC, finally executed process
has SMACK64EXEC subject.
While if the execution file has no SMACK64EXEC, the executed process
has label of this config(or label which is set by
SmackProcessLabel=). Because if execution file has no SMACK64EXEC then
excuted process inherits label from caller process(in this case, the
caller is systemd).
| -rw-r--r-- | configure.ac | 10 | ||||
| -rw-r--r-- | src/core/execute.c | 9 |
2 files changed, 17 insertions, 2 deletions
diff --git a/configure.ac b/configure.ac index 8b1e275d27..88b52c45fe 100644 --- a/configure.ac +++ b/configure.ac @@ -673,8 +673,14 @@ fi AC_ARG_WITH(smack-run-label, AS_HELP_STRING([--with-smack-run-label=STRING], - [run systemd --system with a specific SMACK label]), - [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run with a smack label])], + [run systemd --system itself with a specific SMACK label]), + [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run systemd itself with SMACK label])], + []) + +AC_ARG_WITH(smack-default-process-label, +AS_HELP_STRING([--with-smack-default-process-label=STRING], + [default SMACK label for executed processes]), + [AC_DEFINE_UNQUOTED(SMACK_DEFAULT_PROCESS_LABEL, ["$withval"], [Default SMACK label for executed processes])], []) if test "x${have_smack}" = xyes ; then diff --git a/src/core/execute.c b/src/core/execute.c index 94cc101738..c92db51330 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1717,6 +1717,15 @@ static int exec_child( return r; } } +#ifdef SMACK_DEFAULT_PROCESS_LABEL + else { + r = mac_smack_apply_pid(0, SMACK_DEFAULT_PROCESS_LABEL); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + } +#endif #endif if (context->user) { |