summaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authorWaLyong Cho <walyong.cho@samsung.com>2015-07-28 02:55:35 +0900
committerWaLyong Cho <walyong.cho@samsung.com>2015-08-04 21:11:24 +0900
commite419a0e31089994ecd1d9019c791e63d13b37584 (patch)
tree1b7c5f8d789701d1e257b7b8b4ca1c9a3828b6ac /src/core
parent5ab58c2091636209231fc3fd5bf97f21b77deb88 (diff)
core: set default process label only exec label is none
When command path has access label and no SmackProcessLabel= is not set, default process label will be set. But if the default process label has no rule for the access label of the command path then smack access error will be occurred. So, if the command path has execute label then the child have to set its label to the same of execute label of command path instead of default process label.
Diffstat (limited to 'src/core')
-rw-r--r--src/core/execute.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index 21721dc240..f14ae4d8a6 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1719,7 +1719,15 @@ static int exec_child(
}
#ifdef SMACK_DEFAULT_PROCESS_LABEL
else {
- r = mac_smack_apply_pid(0, SMACK_DEFAULT_PROCESS_LABEL);
+ _cleanup_free_ char *exec_label = NULL;
+
+ r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
+ if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
+ *exit_status = EXIT_SMACK_PROCESS_LABEL;
+ return r;
+ }
+
+ r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
if (r < 0) {
*exit_status = EXIT_SMACK_PROCESS_LABEL;
return r;