[systemd-devel] [PATCH] bus-proxy: cloning smack label
Lennart Poettering
lennart at poettering.net
Mon Dec 1 15:00:10 PST 2014
On Thu, 13.11.14 18:11, Przemyslaw Kedzierski (p.kedzierski at samsung.com) wrote:
Looks pretty good, but I coudln't apply it. There's something wrong
with the patch the deletion/renaming of the service files doesn't
work. Did you create this patch with git-format-patch?
> if (is_unix) {
> (void) getpeercred(in_fd, &ucred);
> (void) getpeersec(in_fd, &peersec);
> +
> +#ifdef HAVE_SMACK
> + if (mac_smack_use()) {
> + if (peersec) {
> +
> + r = mac_smack_apply_pid(getpid(), peersec);
> + if (r < 0)
> + log_warning("Failed to set SMACK label %s : %s", peersec, strerror(-r));
> + } else
> + log_warning("Invalid SMACK label");
> +
> + r = drop_capability(CAP_MAC_ADMIN);
> + if (r < 0)
> + log_warning("Failed to drop CAP_MAC_ADMIN: %s", strerror(-r));
> + }
> +#endif
> }
Hmm, could you make this bit a function of its own please?
> +m4_ifdef(`HAVE_SMACK',
> +Capabilities=cap_mac_admin=i
> +SecureBits=keep-caps
> +)
Hmm, it might be a good idea to also add some code to Makefile.am to
add the capability to the file after installation in case of
HAVE_SMACK. We used to do set a file cap like this on
systemd-detect-virt until a while back.
See commit fdd25311706bd32580ec4d43211cdf4665d2f9de for details about
the setcap lines we removed back then. It should be easy to just readd
those lines and adapt them to apply to systemd-bus-proxyd instead!
Thanks!
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list