diff options
author | Przemyslaw Kedzierski <p.kedzierski@samsung.com> | 2014-12-09 12:17:24 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-12-09 18:23:24 +0100 |
commit | dd5ae4c36c89da5dbe8d1628939b26c00db98753 (patch) | |
tree | 70732de11f8d613b3c3a5117009f9802301774e7 /units | |
parent | 4c213d6cf416917c61f82d8bee795b8f3a4c5372 (diff) | |
download | systemd-dd5ae4c36c89da5dbe8d1628939b26c00db98753.tar.gz systemd-dd5ae4c36c89da5dbe8d1628939b26c00db98753.tar.bz2 systemd-dd5ae4c36c89da5dbe8d1628939b26c00db98753.zip |
bus-proxy: cloning smack label
When dbus client connects to systemd-bus-proxyd through
Unix domain socket proxy takes client's smack label and sets for itself.
It is done before and independent of dropping privileges.
The reason of such soluton is fact that tests of access rights
performed by lsm may take place inside kernel, not only
in userspace of recipient of message.
The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label.
In case of systemd running in system mode, CAP_MAC_ADMIN
should be added to CapabilityBoundingSet in service file of bus-proxyd.
In case of systemd running in user mode ('systemd --user')
it can be achieved by addition
Capabilities=cap_mac_admin=i and SecureBits=keep-caps
to user@.service file
and setting cap_mac_admin+ei on bus-proxyd binary.
Diffstat (limited to 'units')
-rw-r--r-- | units/systemd-bus-proxyd@.service.m4.in (renamed from units/systemd-bus-proxyd@.service.in) | 2 | ||||
-rw-r--r-- | units/user@.service.m4.in (renamed from units/user@.service.in) | 4 |
2 files changed, 5 insertions, 1 deletions
diff --git a/units/systemd-bus-proxyd@.service.in b/units/systemd-bus-proxyd@.service.m4.in index 23b5ffa072..3f3ab64dee 100644 --- a/units/systemd-bus-proxyd@.service.in +++ b/units/systemd-bus-proxyd@.service.m4.in @@ -14,7 +14,7 @@ Description=Legacy D-Bus Protocol Compatibility Daemon # space available for this. ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges --address=kernel:path=/sys/fs/kdbus/0-system/bus xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx NotifyAccess=main -CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP +CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP m4_ifdef(`HAVE_SMACK', CAP_MAC_ADMIN ) PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes diff --git a/units/user@.service.in b/units/user@.service.m4.in index 1e21d51aae..340c02b59b 100644 --- a/units/user@.service.in +++ b/units/user@.service.m4.in @@ -17,3 +17,7 @@ ExecStart=-@rootlibexecdir@/systemd --user Slice=user-%i.slice KillMode=mixed Delegate=yes +m4_ifdef(`HAVE_SMACK', +Capabilities=cap_mac_admin=i +SecureBits=keep-caps +) |