Disable Shared RO namespaces in no-smack

We can express the policy (RW for owners and system, RO for others)
using ACL and DAC.

Change-Id: Ia9f1951311c080e265f0d4fe4b4af5fcb9289368

diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
index 93d5d595b1d51c122de2dcf645d6c1dec3e9adda..ef03522fc6bbde897450ac7fea3498e298c6ddc9 100644 (file)
--- a/src/client/client-security-manager.cpp
+++ b/src/client/client-security-manager.cpp
@@ -1231,10 +1231,12 @@ static inline int security_manager_setup_namespace_internal(const MountNS::Privi
         return SECURITY_MANAGER_SUCCESS;
     }
 
-    ret = setupSharedRO(pkg_name, enabledSharedRO, userAppsRWDir, userAppsRWSharedDir);
-    if (ret != SECURITY_MANAGER_SUCCESS) {
-        LogError("Failed to setup app SharedRO: " << security_manager_strerror(static_cast<lib_retcode>(ret)));
-        return ret;
+    if (smack_simple_check()) {
+        ret = setupSharedRO(pkg_name, enabledSharedRO, userAppsRWDir, userAppsRWSharedDir);
+        if (ret != SECURITY_MANAGER_SUCCESS) {
+            LogError("Failed to setup app SharedRO: " << security_manager_strerror(static_cast<lib_retcode>(ret)));
+            return ret;
+        }
     }
 
     ret = applyPrivileges(privilegePathMap, privPathsStatusVector, app_label);

diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
index 2b959c0f9ba27b98a99fb0a758f0bda199546598..fbc01141351a3f7e161a78239c829d130c7adc66 100644 (file)
--- a/src/common/service_impl.cpp
+++ b/src/common/service_impl.cpp
@@ -377,7 +377,7 @@ int ServiceImpl::labelPaths(const pkg_paths &paths,
         if (!pathsCheck(paths, pkgLegalBaseDirs))
             return SECURITY_MANAGER_ERROR_NOT_PATH_OWNER;
 
-        if (isSharedRO) {
+        if (smack_simple_check() && isSharedRO) {
             LogWarning("Labeling shared_ro paths");
             // Label shared_ro base paths for bind mounting
             labelSharedPaths(homePath, pkgName);