diff options
| author | Patrick McCarty <patrick.mccarty@linux.intel.com> | 2013-12-09 14:56:15 -0800 |
|---|---|---|
| committer | Patrick McCarty <patrick.mccarty@linux.intel.com> | 2013-12-10 15:16:05 -0800 |
| commit | 03c9fa8de286d8ccc29174e713a65b9dcb63aa23 (patch) | |
| tree | 20c419cf7d678fdff7ccac6f71cf71897d70e7cc | |
| parent | 93aacbb19f9b265c98d928e37c5ab354318ea21d (diff) | |
| download | systemd-03c9fa8de286d8ccc29174e713a65b9dcb63aa23.tar.gz systemd-03c9fa8de286d8ccc29174e713a65b9dcb63aa23.tar.bz2 systemd-03c9fa8de286d8ccc29174e713a65b9dcb63aa23.zip | |
execute: add SmackExecLabel key for services
At the filesystem level, setting the runtime Smack label for an
executable is possible by setting the SMACK64EXEC security extended
attribute on the file, but if the runtime Smack label should depend on
the execution environment, the process needs to change its own Smack
label.
This commit introduces a new SmackExecLabel key for this purpose. For
example, 'systemd --user' may need to run with a different label as
compared to 'systemd --system', so SmackExecLabel could be set in
user@.service.
Setting the label will fail if the service lacks capabilities to set its
own Smack label.
Change-Id: I8eb8eb222342c9d0ae7e28530fe7e4d51493b83e
Signed-off-by: Patrick McCarty <patrick.mccarty@linux.intel.com>
| -rw-r--r-- | src/core/dbus-execute.c | 1 | ||||
| -rw-r--r-- | src/core/dbus-execute.h | 3 | ||||
| -rw-r--r-- | src/core/execute.c | 19 | ||||
| -rw-r--r-- | src/core/execute.h | 1 | ||||
| -rw-r--r-- | src/core/load-fragment-gperf.gperf.m4 | 3 | ||||
| -rw-r--r-- | src/shared/exit-status.c | 3 | ||||
| -rw-r--r-- | src/shared/exit-status.h | 3 |
7 files changed, 30 insertions, 3 deletions
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 2402e8c34d..4d33340287 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -432,5 +432,6 @@ const BusProperty bus_exec_context_properties[] = { { "IgnoreSIGPIPE", bus_property_append_bool, "b", offsetof(ExecContext, ignore_sigpipe) }, { "NoNewPrivileges", bus_property_append_bool, "b", offsetof(ExecContext, no_new_privileges) }, { "SystemCallFilter", bus_execute_append_syscall_filter, "au", 0 }, + { "SmackExecLabel", bus_property_append_string, "s", offsetof(ExecContext, smack_exec), true }, {} }; diff --git a/src/core/dbus-execute.h b/src/core/dbus-execute.h index 79bf30838a..d3546bc4d2 100644 --- a/src/core/dbus-execute.h +++ b/src/core/dbus-execute.h @@ -94,7 +94,8 @@ " <property name=\"UtmpIdentifier\" type=\"s\" access=\"read\"/>\n" \ " <property name=\"IgnoreSIGPIPE\" type=\"b\" access=\"read\"/>\n" \ " <property name=\"NoNewPrivileges\" type=\"b\" access=\"read\"/>\n" \ - " <property name=\"SystemCallFilter\" type=\"au\" access=\"read\"/>\n" + " <property name=\"SystemCallFilter\" type=\"au\" access=\"read\"/>\n" \ + " <property name=\"SmackExecLabel\" type=\"s\" access=\"read\"/>\n" #define BUS_EXEC_COMMAND_INTERFACE(name) \ " <property name=\"" name "\" type=\"a(sasbttuii)\" access=\"read\"/>\n" diff --git a/src/core/execute.c b/src/core/execute.c index a53ef48ef8..e95846aa9d 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1399,6 +1399,18 @@ int exec_spawn(ExecCommand *command, goto fail_child; } +#ifdef HAVE_SMACK + if (context->smack_exec) { + err = write_string_file("/proc/self/attr/current", context->smack_exec); + if (err < 0) { + /* Other errors indicate that Smack is not enabled */ + if (errno == EPERM) { + r = EXIT_SMACK; + goto fail_child; + } + } + } +#endif if (apply_permissions) { for (i = 0; i < RLIMIT_NLIMITS; i++) { @@ -1988,6 +2000,13 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { free(fac_str); } +#ifdef HAVE_SMACK + if (c->smack_exec) + fprintf(f, + "%sSmackExecLabel: %s\n", + prefix, c->smack_exec); +#endif + if (c->capabilities) { char *t; if ((t = cap_to_text(c->capabilities, NULL))) { diff --git a/src/core/execute.h b/src/core/execute.h index c1e9717dc8..d71ab14e49 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -125,6 +125,7 @@ struct ExecContext { char *utmp_id; char **read_write_dirs, **read_only_dirs, **inaccessible_dirs; + char *smack_exec; unsigned long mount_flags; uint64_t capability_bounding_set_drop; diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index 31fb7bcd3f..785ba71102 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -75,7 +75,8 @@ $1.MountFlags, config_parse_exec_mount_flags, 0, $1.TCPWrapName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.tcpwrap_name) $1.PAMName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.pam_name) $1.IgnoreSIGPIPE, config_parse_bool, 0, offsetof($1, exec_context.ignore_sigpipe) -$1.UtmpIdentifier, config_parse_unit_string_printf, 0, offsetof($1, exec_context.utmp_id)' +$1.UtmpIdentifier, config_parse_unit_string_printf, 0, offsetof($1, exec_context.utmp_id) +$1.SmackExecLabel, config_parse_string, 0, offsetof($1, exec_context.smack_exec)' )m4_dnl m4_define(`KILL_CONTEXT_CONFIG_ITEMS', `$1.SendSIGKILL, config_parse_bool, 0, offsetof($1, kill_context.send_sigkill) diff --git a/src/shared/exit-status.c b/src/shared/exit-status.c index 45131f2b2a..53dac33bbf 100644 --- a/src/shared/exit-status.c +++ b/src/shared/exit-status.c @@ -130,6 +130,9 @@ const char* exit_status_to_string(ExitStatus status, ExitStatusLevel level) { case EXIT_SECCOMP: return "SECCOMP"; + + case EXIT_SMACK: + return "SMACK"; } } diff --git a/src/shared/exit-status.h b/src/shared/exit-status.h index 1f035a3007..b717d8a385 100644 --- a/src/shared/exit-status.h +++ b/src/shared/exit-status.h @@ -67,7 +67,8 @@ typedef enum ExitStatus { EXIT_NETWORK, EXIT_NAMESPACE, EXIT_NO_NEW_PRIVILEGES, - EXIT_SECCOMP + EXIT_SECCOMP, + EXIT_SMACK } ExitStatus; typedef enum ExitStatusLevel { |