From ba056b738d407ace25e5e4a2f9c890de229bf69f Mon Sep 17 00:00:00 2001
From: Sangjung Woo <sangjung.woo@samsung.com>
Date: Tue, 8 Sep 2015 14:58:22 +0900
Subject: smack: introduce new mac_smack_copy() function
This adds a new mac_smack_copy() function in order to read the smack
label from the source and apply it to the destination.
---
src/basic/smack-util.c | 21 +++++++++++++++++++++
src/basic/smack-util.h | 2 +-
2 files changed, 22 insertions(+), 1 deletion(-)
(limited to 'src')
diff --git a/src/basic/smack-util.c b/src/basic/smack-util.c
index 6d5c205117..9e221d6eab 100644
--- a/src/basic/smack-util.c
+++ b/src/basic/smack-util.c
@@ -185,6 +185,23 @@ int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
return r;
}
+int mac_smack_copy(const char *dest, const char *src) {
+ int r = 0;
+ _cleanup_free_ char *label = NULL;
+
+ assert(dest);
+ assert(src);
+
+ r = mac_smack_read(src, SMACK_ATTR_ACCESS, &label);
+ if (r < 0)
+ return r;
+
+ r = mac_smack_apply(dest, SMACK_ATTR_ACCESS, label);
+ if (r < 0)
+ return r;
+
+ return r;
+}
#else
bool mac_smack_use(void) {
@@ -214,4 +231,8 @@ int mac_smack_apply_pid(pid_t pid, const char *label) {
int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
return 0;
}
+
+int mac_smack_copy(const char *dest, const char *src) {
+ return 0;
+}
#endif
diff --git a/src/basic/smack-util.h b/src/basic/smack-util.h
index 1052cecf4c..b3aa55eb8a 100644
--- a/src/basic/smack-util.h
+++ b/src/basic/smack-util.h
@@ -48,5 +48,5 @@ int mac_smack_read(const char *path, SmackAttr attr, char **label);
int mac_smack_read_fd(int fd, SmackAttr attr, char **label);
int mac_smack_apply(const char *path, SmackAttr attr, const char *label);
int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label);
-
int mac_smack_apply_pid(pid_t pid, const char *label);
+int mac_smack_copy(const char *dest, const char *src);
--
cgit v1.2.3-54-g00ecf
From f8c1a81c5188ca121573caeee290e39ef966e3e6 Mon Sep 17 00:00:00 2001
From: Sangjung Woo <sangjung.woo@samsung.com>
Date: Tue, 8 Sep 2015 15:09:40 +0900
Subject: smack: bugfix the smack label of symlink when
'--with-smack-run-label' is set
Even though systemd has its own smack label since
'--with-smack-run-label' configuration is set, the smack label of each
CGROUP root directory should have the star (i.e. *) label. This is
mainly because current Linux Kernel set the label in this way.
(Refer to smack_d_instantiate() in security/smack/smack_lsm.c)
However, if systemd has its own smack label and arg_join_controllers is
explicitly set or initialized by initialize_join_controllers() function,
current systemd creates the symlink in CGROUP root directory with its
own smack label as below.
lrwxrwxrwx. 1 root root System 11 Dec 31 16:00 cpu -> cpu,cpuacct
dr-xr-xr-x. 4 root root * 0 Dec 31 16:01 cpu,cpuacct
lrwxrwxrwx. 1 root root System 11 Dec 31 16:00 cpuacct -> cpu,cpuacct
This patch fixes that bug by copying the smack label from the origin.
---
src/core/mount-setup.c | 5 +++++
1 file changed, 5 insertions(+)
(limited to 'src')
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index e84f80b61b..65f3d06ad0 100644
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -303,6 +303,11 @@ int mount_cgroup_controllers(char ***join_controllers) {
r = symlink(options, t);
if (r < 0 && errno != EEXIST)
return log_error_errno(errno, "Failed to create symlink %s: %m", t);
+#ifdef SMACK_RUN_LABEL
+ r = mac_smack_copy(t, options);
+ if (r < 0 && r != -EOPNOTSUPP)
+ return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", options, t);
+#endif
}
}
}
--
cgit v1.2.3-54-g00ecf