From 6bf6e43e7e214a4bd03008a91a7fc77ce6934d65 Mon Sep 17 00:00:00 2001 From: Sangjung Woo Date: Wed, 23 Sep 2015 20:41:52 +0900 Subject: [PATCH] exec: call setup_pam() after SMACK labeling When 'SmackProcessLabel=' is used in user@.service file, all processes launched in systemd user session should be labeled as the designated name of 'SmackProcessLabel' directive. However, if systemd has its own smack label using '--with-smack-run-label' configuration, '(sd-pam)' is labeled as the specific name of '--with-smack-run-label'. If 'SmackProcessLabel=' is used in user@.service file without '--with-smack-run-label' configuration, (sd-pam) is labeled as "_" since systemd (i.e. pid=1) is labeled as "_". This is mainly because setup_pam() function is called before applying smack label to child process. This patch fixes it by calling setup_pam() after setting the smack label. --- src/core/execute.c | 56 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 29 insertions(+), 27 deletions(-) diff --git a/src/core/execute.c b/src/core/execute.c index 6e14848..eef2dac 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1592,6 +1592,35 @@ static int exec_child( umask(context->umask); +#ifdef HAVE_SMACK + if (params->apply_permissions) { + if (context->smack_process_label) { + r = mac_smack_apply_pid(0, context->smack_process_label); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + } +#ifdef SMACK_DEFAULT_PROCESS_LABEL + else { + _cleanup_free_ char *exec_label = NULL; + + r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label); + if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + + r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + } + } +#endif +#endif + #ifdef HAVE_PAM if (params->apply_permissions && context->pam_name && username) { r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds); @@ -1729,33 +1758,6 @@ static int exec_child( } } -#ifdef HAVE_SMACK - if (context->smack_process_label) { - r = mac_smack_apply_pid(0, context->smack_process_label); - if (r < 0) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - } -#ifdef SMACK_DEFAULT_PROCESS_LABEL - else { - _cleanup_free_ char *exec_label = NULL; - - r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label); - if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - - r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); - if (r < 0) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - } -#endif -#endif - if (context->user) { r = enforce_user(context, uid); if (r < 0) { -- 2.7.4