Change /usr/bin/crash-worker Smack label to floor (_)

This change is needed after kernel started launching processes
using usermodehelper process. Usermodehelper runs with normal
privileges (Smack floor label) all normal policies apply to it.
Thus, in order for it to launch crash-worker it either needs to
have same label or there exists rule that allows given transition.

Adding rule allowing _ to execute System would break Tizen policy
so the other option is to change crash-worker label to _, which
is what this commit does.

There should be no adverse affects of this patch as crash-worker
is already only allowed to be executed by root:crash_worker uids:gids.

Ref: https://lore.kernel.org/all/20220607165003.871993847@linuxfoundation.org/

Change-Id: I805d263fec72b491d0fc0915413d2c3bdded91ab
Reported-by: Sunghun Kim <sfoon.kim@samsung.com>

diff --git a/packaging/crash-worker.manifest b/packaging/crash-worker.manifest
index 3be60c0..05d5a25 100644 (file)
--- a/packaging/crash-worker.manifest
+++ b/packaging/crash-worker.manifest
@@ -4,7 +4,7 @@
        </request>
        <assign>
                <filesystem path="/usr/bin/dump_systemstate" label="System" exec_label="System"/>
-               <filesystem path="/usr/bin/crash-manager" label="System" exec_label="System::Privileged"/>
+               <filesystem path="/usr/bin/crash-manager" label="_" exec_label="System::Privileged"/>
 
                <filesystem path="/usr/libexec/crash-worker/system-tests/full_core/full_core.sh" label="User::Shell" exec_label="User::Shell"/>
                <filesystem path="/usr/libexec/crash-worker/system-tests/check_minicore_mem/check_minicore_mem.sh" label="User::Shell" exec_label="User::Shell"/>