From 8b6903ad4d0dc94cd0098f453a4ea8ab24a4a3f7 Mon Sep 17 00:00:00 2001
From: Djalal Harouni <tixxdz@opendz.org>
Date: Fri, 21 Oct 2016 22:22:56 +0200
Subject: [PATCH] core: lets move the setup of working directory before group
 enforce

This is minor but lets try to split and move bit by bit cgroups and
portable environment setup before applying the security context.
---
 src/core/execute.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/core/execute.c b/src/core/execute.c
index 874f035..a9b2b8f 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2632,6 +2632,13 @@ static int exec_child(
                 }
         }
 
+        if (context->working_directory_home)
+                wd = home;
+        else if (context->working_directory)
+                wd = context->working_directory;
+        else
+                wd = "/";
+
         /* Drop group as early as possbile */
         if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
                 r = enforce_groups(context, gid, supplementary_gids, ngids);
@@ -2641,13 +2648,6 @@ static int exec_child(
                 }
         }
 
-        if (context->working_directory_home)
-                wd = home;
-        else if (context->working_directory)
-                wd = context->working_directory;
-        else
-                wd = "/";
-
         if (params->flags & EXEC_APPLY_CHROOT) {
                 if (!needs_mount_namespace && context->root_directory)
                         if (chroot(context->root_directory) < 0) {
-- 
2.7.4