1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-31 21:18:09 +03:00

smack: Add DefaultSmackProcessLabel to user.conf and system.conf

DefaultSmackProcessLabel tells systemd what label to assign to its child
process in case SmackProcessLabel is not set in the service file. By
default, when DefaultSmackProcessLabel is not set child processes inherit
label from systemd.

If DefaultSmackProcessLabel is set to "/" (which is an invalid character
for a SMACK label) the DEFAULT_SMACK_PROCESS_LABEL set during compilation
is ignored and systemd act as if the option was unset.
This commit is contained in:
Łukasz Stelmach 2022-07-06 13:09:51 +02:00 committed by Luca Boccassi
parent 8880c3be82
commit aa5ae9711e
9 changed files with 53 additions and 6 deletions

View File

@ -525,6 +525,18 @@
details. Note that this setting has no effect on the OOM score adjustment value of the service
manager process itself, it retains the original value set during its invocation.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>DefaultSmackProcessLabel=</varname></term>
<listitem><para>Takes a <option>SMACK64</option> security label as the argument. The process executed
by a unit will be started under this label if <varname>SmackProcessLabel=</varname> is not set in the
unit. See <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for the details.</para>
<para>If the value is <literal>/</literal>, only labels specified with <varname>SmackProcessLabel=</varname>
are assigned and the compile-time default is ignored.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>

View File

@ -1167,6 +1167,11 @@ if have
conf.set_quoted('SMACK_RUN_LABEL', get_option('smack-run-label'))
endif
have = get_option('smack') and get_option('smack-default-process-label') != ''
if have
conf.set_quoted('SMACK_DEFAULT_PROCESS_LABEL', get_option('smack-default-process-label'))
endif
want_polkit = get_option('polkit')
install_polkit = false
install_polkit_pkla = false

View File

@ -352,6 +352,8 @@ option('smack', type : 'boolean',
description : 'SMACK support')
option('smack-run-label', type : 'string',
description : 'run systemd --system itself with a specific SMACK label')
option('smack-default-process-label', type : 'string',
description : 'default SMACK label for executed processes')
option('polkit', type : 'combo', choices : ['auto', 'true', 'false'],
description : 'polkit support')
option('ima', type : 'boolean',

View File

@ -3240,6 +3240,7 @@ static int setup_credentials(
#if ENABLE_SMACK
static int setup_smack(
const Manager *manager,
const ExecContext *context,
int executable_fd) {
int r;
@ -3251,20 +3252,17 @@ static int setup_smack(
r = mac_smack_apply_pid(0, context->smack_process_label);
if (r < 0)
return r;
}
#ifdef SMACK_DEFAULT_PROCESS_LABEL
else {
} else if (manager->default_smack_process_label) {
_cleanup_free_ char *exec_label = NULL;
r = mac_smack_read_fd(executable_fd, SMACK_ATTR_EXEC, &exec_label);
if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
return r;
r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
r = mac_smack_apply_pid(0, exec_label ? : manager->default_smack_process_label);
if (r < 0)
return r;
}
#endif
return 0;
}
@ -4853,7 +4851,7 @@ static int exec_child(
/* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
* process. This is the latest place before dropping capabilities. Other MAC context are set later. */
if (use_smack) {
r = setup_smack(context, executable_fd);
r = setup_smack(unit->manager, context, executable_fd);
if (r < 0 && !context->smack_process_label_ignore) {
*exit_status = EXIT_SMACK_PROCESS_LABEL;
return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");

View File

@ -170,6 +170,7 @@ static void *arg_random_seed;
static size_t arg_random_seed_size;
static int arg_default_oom_score_adjust;
static bool arg_default_oom_score_adjust_set;
static char *arg_default_smack_process_label;
/* A copy of the original environment block */
static char **saved_env = NULL;
@ -658,6 +659,11 @@ static int parse_config_file(void) {
{ "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action },
{ "Manager", "DefaultOOMPolicy", config_parse_oom_policy, 0, &arg_default_oom_policy },
{ "Manager", "DefaultOOMScoreAdjust", config_parse_oom_score_adjust, 0, NULL },
#if ENABLE_SMACK
{ "Manager", "DefaultSmackProcessLabel", config_parse_string, 0, &arg_default_smack_process_label },
#else
{ "Manager", "DefaultSmackProcessLabel", config_parse_warn_compat, DISABLED_CONFIGURATION, NULL },
#endif
{}
};
@ -731,6 +737,8 @@ static void set_manager_defaults(Manager *m) {
m->default_oom_score_adjust_set = arg_default_oom_score_adjust_set;
m->default_oom_score_adjust = arg_default_oom_score_adjust;
(void) manager_set_default_smack_process_label(m, arg_default_smack_process_label);
(void) manager_set_default_rlimits(m, arg_default_rlimit);
(void) manager_default_environment(m);
@ -2421,6 +2429,7 @@ static void reset_arguments(void) {
arg_clock_usec = 0;
arg_default_oom_score_adjust_set = false;
arg_default_smack_process_label = mfree(arg_default_smack_process_label);
}
static void determine_default_oom_score_adjust(void) {

View File

@ -1549,6 +1549,8 @@ Manager* manager_free(Manager *m) {
free(m->switch_root);
free(m->switch_root_init);
free(m->default_smack_process_label);
rlimit_free_all(m->rlimit);
assert(hashmap_isempty(m->units_requiring_mounts_for));
@ -3880,6 +3882,19 @@ int manager_get_effective_environment(Manager *m, char ***ret) {
return 0;
}
int manager_set_default_smack_process_label(Manager *m, const char *label) {
assert(m);
#ifdef SMACK_DEFAULT_PROCESS_LABEL
if (!label)
return free_and_strdup(&m->default_smack_process_label, SMACK_DEFAULT_PROCESS_LABEL);
#endif
if (streq_ptr(label, "/"))
return free_and_strdup(&m->default_smack_process_label, NULL);
return free_and_strdup(&m->default_smack_process_label, label);
}
int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit) {
assert(m);

View File

@ -457,6 +457,8 @@ struct Manager {
/* Reference to RestrictFileSystems= BPF program */
struct restrict_fs_bpf *restrict_fs;
char *default_smack_process_label;
};
static inline usec_t manager_default_timeout_abort_usec(Manager *m) {
@ -509,6 +511,8 @@ int manager_transient_environment_add(Manager *m, char **plus);
int manager_client_environment_modify(Manager *m, char **minus, char **plus);
int manager_get_effective_environment(Manager *m, char ***ret);
int manager_set_default_smack_process_label(Manager *m, const char *label);
int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit);
void manager_trigger_run_queue(Manager *m);

View File

@ -74,3 +74,4 @@
#DefaultLimitRTPRIO=
#DefaultLimitRTTIME=
#DefaultOOMPolicy=stop
#DefaultSmackProcessLabel=

View File

@ -47,3 +47,4 @@
#DefaultLimitNICE=
#DefaultLimitRTPRIO=
#DefaultLimitRTTIME=
#DefaultSmackProcessLabel=