diff options
| author | WaLyong Cho <walyong.cho@samsung.com> | 2014-11-24 20:46:20 +0900 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2014-11-27 12:34:36 -0500 |
| commit | 70a41ab58555569149041e95159862d5e6367b39 (patch) | |
| tree | 68a11b9d9db2a4a2bfd6e02ffe62634a76aeeb7b /src/shared | |
| parent | 2694f4de06f68376251138515c96a684650f0f6a (diff) | |
smack: introduce new SmackProcessLabel option
In service file, if the file has some of special SMACK label in
ExecStart= and systemd has no permission for the special SMACK label
then permission error will occurred. To resolve this, systemd should
be able to set its SMACK label to something accessible of ExecStart=.
So introduce new SmackProcessLabel. If label is specified with
SmackProcessLabel= then the child systemd will set its label to
that. To successfully execute the ExecStart=, accessible label should
be specified with SmackProcessLabel=.
Additionally, by SMACK policy, if the file in ExecStart= has no
SMACK64EXEC then the executed process will have given label by
SmackProcessLabel=. But if the file has SMACK64EXEC then the
SMACK64EXEC label will be overridden.
[zj: reword man page]
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
Diffstat (limited to 'src/shared')
| -rw-r--r-- | src/shared/smack-util.c | 20 | ||||
| -rw-r--r-- | src/shared/smack-util.h | 1 |
2 files changed, 21 insertions, 0 deletions
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c index 407a8e1aa3..992a2e3372 100644 --- a/src/shared/smack-util.c +++ b/src/shared/smack-util.c @@ -25,6 +25,7 @@ #include "util.h" #include "path-util.h" +#include "fileio.h" #include "smack-util.h" #define SMACK_FLOOR_LABEL "_" @@ -123,6 +124,25 @@ int mac_smack_apply_ip_in_fd(int fd, const char *label) { return r; } +int mac_smack_apply_pid(pid_t pid, const char *label) { + int r = 0; + const char *p; + + assert(label); + +#ifdef HAVE_SMACK + if (!mac_smack_use()) + return 0; + + p = procfs_file_alloca(pid, "attr/current"); + r = write_string_file(p, label); + if (r < 0) + return r; +#endif + + return r; +} + int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { int r = 0; diff --git a/src/shared/smack-util.h b/src/shared/smack-util.h index 22aef5ac23..587c135308 100644 --- a/src/shared/smack-util.h +++ b/src/shared/smack-util.h @@ -29,5 +29,6 @@ int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs); int mac_smack_apply(const char *path, const char *label); int mac_smack_apply_fd(int fd, const char *label); +int mac_smack_apply_pid(pid_t pid, const char *label); int mac_smack_apply_ip_in_fd(int fd, const char *label); int mac_smack_apply_ip_out_fd(int fd, const char *label); |