[systemd-devel] [PATCH] Move apparmor code before the namespace setup
misc at zarb.org
misc at zarb.org
Sat Oct 11 18:57:05 PDT 2014
From: Michael Scherer <misc at zarb.org>
Since apparmor need to access /proc to communicate with the kernel,
any unit setting / as readonly will be unable to also use the
AppArmorProfile setting, as found on debian bug 760526.
---
src/core/execute.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/src/core/execute.c b/src/core/execute.c
index b165b33..1f2da74 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1501,6 +1501,16 @@ static int exec_child(ExecCommand *command,
}
#endif
+#ifdef HAVE_APPARMOR
+ if (params->apply_permissions && context->apparmor_profile && use_apparmor()) {
+ err = aa_change_onexec(context->apparmor_profile);
+ if (err < 0 && !context->apparmor_profile_ignore) {
+ *error = EXIT_APPARMOR_PROFILE;
+ return -errno;
+ }
+ }
+#endif
+
if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
err = setup_netns(runtime->netns_storage_socket);
if (err < 0) {
@@ -1693,15 +1703,6 @@ static int exec_child(ExecCommand *command,
}
#endif
-#ifdef HAVE_APPARMOR
- if (context->apparmor_profile && use_apparmor()) {
- err = aa_change_onexec(context->apparmor_profile);
- if (err < 0 && !context->apparmor_profile_ignore) {
- *error = EXIT_APPARMOR_PROFILE;
- return -errno;
- }
- }
-#endif
}
err = build_environment(context, n_fds, params->watchdog_usec, home, username, shell, &our_env);
--
1.8.3.1
More information about the systemd-devel
mailing list