From 6bf6e43e7e214a4bd03008a91a7fc77ce6934d65 Mon Sep 17 00:00:00 2001 From: Sangjung Woo Date: Wed, 23 Sep 2015 20:41:52 +0900 Subject: exec: call setup_pam() after SMACK labeling When 'SmackProcessLabel=' is used in user@.service file, all processes launched in systemd user session should be labeled as the designated name of 'SmackProcessLabel' directive. However, if systemd has its own smack label using '--with-smack-run-label' configuration, '(sd-pam)' is labeled as the specific name of '--with-smack-run-label'. If 'SmackProcessLabel=' is used in user@.service file without '--with-smack-run-label' configuration, (sd-pam) is labeled as "_" since systemd (i.e. pid=1) is labeled as "_". This is mainly because setup_pam() function is called before applying smack label to child process. This patch fixes it by calling setup_pam() after setting the smack label. --- src/core/execute.c | 56 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 29 insertions(+), 27 deletions(-) (limited to 'src/core') diff --git a/src/core/execute.c b/src/core/execute.c index 6e14848cd4..eef2dacc54 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1592,6 +1592,35 @@ static int exec_child( umask(context->umask); +#ifdef HAVE_SMACK + if (params->apply_permissions) { + if (context->smack_process_label) { + r = mac_smack_apply_pid(0, context->smack_process_label); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + } +#ifdef SMACK_DEFAULT_PROCESS_LABEL + else { + _cleanup_free_ char *exec_label = NULL; + + r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label); + if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + + r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + } + } +#endif +#endif + #ifdef HAVE_PAM if (params->apply_permissions && context->pam_name && username) { r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds); @@ -1729,33 +1758,6 @@ static int exec_child( } } -#ifdef HAVE_SMACK - if (context->smack_process_label) { - r = mac_smack_apply_pid(0, context->smack_process_label); - if (r < 0) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - } -#ifdef SMACK_DEFAULT_PROCESS_LABEL - else { - _cleanup_free_ char *exec_label = NULL; - - r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label); - if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - - r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); - if (r < 0) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - } -#endif -#endif - if (context->user) { r = enforce_user(context, uid); if (r < 0) { -- cgit v1.2.3-54-g00ecf From b213e1c11d5a383faf5c456a31389d5c0c0f039b Mon Sep 17 00:00:00 2001 From: Sangjung Woo Date: Wed, 23 Sep 2015 20:53:09 +0900 Subject: exec: move mac_smack_apply_pid() and setup_pam() to same condition block This cleans up exec_child() function by moving mac_smack_apply_pid() and setup_pam() to the same condition block, since both of them have the same condition (i.e params->apply_permissions). It improves readability without changing its operation. --- src/core/execute.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) (limited to 'src/core') diff --git a/src/core/execute.c b/src/core/execute.c index eef2dacc54..a7e2362236 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1582,18 +1582,15 @@ static int exec_child( } } + umask(context->umask); + if (params->apply_permissions) { r = enforce_groups(context, username, gid); if (r < 0) { *exit_status = EXIT_GROUP; return r; } - } - - umask(context->umask); - #ifdef HAVE_SMACK - if (params->apply_permissions) { if (context->smack_process_label) { r = mac_smack_apply_pid(0, context->smack_process_label); if (r < 0) { @@ -1617,19 +1614,18 @@ static int exec_child( return r; } } - } #endif #endif - #ifdef HAVE_PAM - if (params->apply_permissions && context->pam_name && username) { - r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds); - if (r < 0) { - *exit_status = EXIT_PAM; - return r; + if (context->pam_name && username) { + r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds); + if (r < 0) { + *exit_status = EXIT_PAM; + return r; + } } - } #endif + } if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) { r = setup_netns(runtime->netns_storage_socket); -- cgit v1.2.3-54-g00ecf