Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

core/exec: Restore SmackProcessLabel setting #7378

Merged
merged 1 commit into from Nov 21, 2017
Merged

core/exec: Restore SmackProcessLabel setting #7378

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
24 changes: 13 additions & 11 deletions src/core/execute.c
View file
Open in desktop
Expand Up @@ -3205,6 +3205,18 @@ static int exec_child(
}
}

#if ENABLE_SMACK
/* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
* process. This is the latest place before dropping capabilities. Other MAC context are set later. */
if (use_smack) {
r = setup_smack(context, command);
if (r < 0) {
*exit_status = EXIT_SMACK_PROCESS_LABEL;
return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
}
}
#endif

bset = context->capability_bounding_set;
/* If the ambient caps hack is enabled (which means the kernel can't do them, and the user asked for
* our magic fallback), then let's add some extra caps, so that the service can drop privs of its own,
Expand Down Expand Up @@ -3265,7 +3277,7 @@ static int exec_child(
}

if (needs_sandboxing) {
/* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
/* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
* influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
* syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
* are restricted. */
Expand All @@ -3284,16 +3296,6 @@ static int exec_child(
}
#endif

#if ENABLE_SMACK
if (use_smack) {
r = setup_smack(context, command);
if (r < 0) {
*exit_status = EXIT_SMACK_PROCESS_LABEL;
return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
}
}
#endif

#if HAVE_APPARMOR
if (use_apparmor && context->apparmor_profile) {
r = aa_change_onexec(context->apparmor_profile);
Expand Down