logind: mount per-user tmpfs with 'smackfsroot=*' for smack enabled systems

diff --git a/src/login/logind-user.c b/src/login/logind-user.c
index d48eca4..3847496 100644 (file)
--- a/src/login/logind-user.c
+++ b/src/login/logind-user.c
@@ -37,6 +37,7 @@
 #include "conf-parser.h"
 #include "clean-ipc.h"
 #include "logind-user.h"
+#include "smack-util.h"
 
 User* user_new(Manager *m, uid_t uid, gid_t gid, const char *name) {
         User *u;
@@ -325,7 +326,12 @@ static int user_mkdir_runtime_path(User *u) {
 
                 mkdir(p, 0700);
 
-                if (asprintf(&t, "mode=0700,uid=" UID_FMT ",gid=" GID_FMT ",size=%zu", u->uid, u->gid, u->manager->runtime_dir_size) < 0) {
+                if (use_smack())
+                        r = asprintf(&t, "mode=0700,smackfsroot=*,uid=" UID_FMT ",gid=" GID_FMT ",size=%zu", u->uid, u->gid, u->manager->runtime_dir_size);
+                else
+                        r = asprintf(&t, "mode=0700,uid=" UID_FMT ",gid=" GID_FMT ",size=%zu", u->uid, u->gid, u->manager->runtime_dir_size);
+
+                if (r < 0) {
                         r = log_oom();
                         goto fail;
                 }

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index c6cbd1c..f087e99 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -23,7 +23,7 @@ ExecStart=@rootlibexecdir@/systemd-logind
 Restart=always
 RestartSec=0
 BusName=org.freedesktop.login1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
 WatchdogSec=1min
 
 # Increase the default a bit in order to allow many simultaneous