smack: Add DefaultSmackProcessLabel to user.conf and system.conf

DefaultSmackProcessLabel tells systemd what label to assign to its child
process in case SmackProcessLabel is not set in the service file. By
default, when DefaultSmackProcessLabel is not set child processes inherit
label from systemd.

If DefaultSmackProcessLabel is set to "/" (which is an invalid character
for a SMACK label) the DEFAULT_SMACK_PROCESS_LABEL set during compilation
is ignored and systemd act as if the option was unset.

Change-Id: Ia432ed6de72476984d22412467da48cc851fd32a
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Origin: https://github.com/systemd/systemd/commit/aa5ae9711ef3cd0c69b7fcfbd65bca05fb704a8a

1 files changed, 12 insertions, 0 deletions

diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index e403fa5308..10364b23fc 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -418,6 +418,18 @@
         for details. Note that this default is not used for services that have <varname>Delegate=</varname>
         turned on.</para></listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>DefaultSmackProcessLabel=</varname></term>
+
+        <listitem><para>Takes a <option>SMACK64</option> security label as the argument. The process executed
+        by a unit will be started under this label if <varname>SmackProcessLabel=</varname> is not set in the
+        unit. See <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        for the details.</para>
+
+        <para>If the value is <literal>/</literal> only labels labels specified with <varname>SmackProcessLabel=</varname>
+        are assigned and the compile-time default is ignored.</para></listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>