[systemd-devel] [PATCH] smack: introduce new SmackLabelExec option
Lennart Poettering
lennart at poettering.net
Thu Nov 6 06:54:25 PST 2014
On Tue, 04.11.14 17:35, WaLyong Cho (walyong.cho at samsung.com) wrote:
> In case of systemd has "_" label and run as root, if a service file
> has "User=" option and the command line file has a special SMACK label
> then systemd will fail to execute the command. Generally, SMACK label
> is ignored for the root. But if a service has a "User=" then systemd
> will call setresuid() in the child process. After then it no more
> root. So it should have some of executable label for the command. To
> set the SMACK64EXEC before the uid is changed introduce new
> SmackLabelExec option.
Hmm, I am not sure I like the abbreviation of this. Can't we just call
this "SmackLabel="?
> +#ifdef HAVE_SMACK
> +#include "smack-util.h"
> +#endif
> +
ifdeffing the include is unnecessary. YOu can just include it without
ifdef protectionn, there's nothing in it that we need to avoid pullin in.
>
> #define SMACK_FLOOR_LABEL "_"
> @@ -123,6 +124,31 @@ int mac_smack_apply_ip_in_fd(int fd, const char *label) {
> return r;
> }
>
> +int mac_smack_apply_pid(pid_t pid, const char *label) {
> + int r = 0;
> + _cleanup_free_ char *path = NULL;
> +
> + assert(label);
> +
> +#ifdef HAVE_SMACK
> + if (!mac_smack_use())
> + return 0;
> +
> + if (pid)
> + r = asprintf(&path, "/proc/%lu/attr/current", (unsigned long) pid);
> + else
> + r = asprintf(&path, "/proc/self/attr/current");
> + if (r < 0)
> + return -ENOMEM;
Please use procfs_file_alloca() for this. It makes this much nicer!
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list