mirror of
https://github.com/systemd/systemd.git
synced 2025-01-05 13:18:06 +03:00
smack: Add DefaultSmackProcessLabel to user.conf and system.conf
DefaultSmackProcessLabel tells systemd what label to assign to its child process in case SmackProcessLabel is not set in the service file. By default, when DefaultSmackProcessLabel is not set child processes inherit label from systemd. If DefaultSmackProcessLabel is set to "/" (which is an invalid character for a SMACK label) the DEFAULT_SMACK_PROCESS_LABEL set during compilation is ignored and systemd act as if the option was unset.
This commit is contained in:
parent
8880c3be82
commit
aa5ae9711e
@ -525,6 +525,18 @@
|
|||||||
details. Note that this setting has no effect on the OOM score adjustment value of the service
|
details. Note that this setting has no effect on the OOM score adjustment value of the service
|
||||||
manager process itself, it retains the original value set during its invocation.</para></listitem>
|
manager process itself, it retains the original value set during its invocation.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><varname>DefaultSmackProcessLabel=</varname></term>
|
||||||
|
|
||||||
|
<listitem><para>Takes a <option>SMACK64</option> security label as the argument. The process executed
|
||||||
|
by a unit will be started under this label if <varname>SmackProcessLabel=</varname> is not set in the
|
||||||
|
unit. See <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
|
for the details.</para>
|
||||||
|
|
||||||
|
<para>If the value is <literal>/</literal>, only labels specified with <varname>SmackProcessLabel=</varname>
|
||||||
|
are assigned and the compile-time default is ignored.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
@ -1167,6 +1167,11 @@ if have
|
|||||||
conf.set_quoted('SMACK_RUN_LABEL', get_option('smack-run-label'))
|
conf.set_quoted('SMACK_RUN_LABEL', get_option('smack-run-label'))
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
have = get_option('smack') and get_option('smack-default-process-label') != ''
|
||||||
|
if have
|
||||||
|
conf.set_quoted('SMACK_DEFAULT_PROCESS_LABEL', get_option('smack-default-process-label'))
|
||||||
|
endif
|
||||||
|
|
||||||
want_polkit = get_option('polkit')
|
want_polkit = get_option('polkit')
|
||||||
install_polkit = false
|
install_polkit = false
|
||||||
install_polkit_pkla = false
|
install_polkit_pkla = false
|
||||||
|
@ -352,6 +352,8 @@ option('smack', type : 'boolean',
|
|||||||
description : 'SMACK support')
|
description : 'SMACK support')
|
||||||
option('smack-run-label', type : 'string',
|
option('smack-run-label', type : 'string',
|
||||||
description : 'run systemd --system itself with a specific SMACK label')
|
description : 'run systemd --system itself with a specific SMACK label')
|
||||||
|
option('smack-default-process-label', type : 'string',
|
||||||
|
description : 'default SMACK label for executed processes')
|
||||||
option('polkit', type : 'combo', choices : ['auto', 'true', 'false'],
|
option('polkit', type : 'combo', choices : ['auto', 'true', 'false'],
|
||||||
description : 'polkit support')
|
description : 'polkit support')
|
||||||
option('ima', type : 'boolean',
|
option('ima', type : 'boolean',
|
||||||
|
@ -3240,6 +3240,7 @@ static int setup_credentials(
|
|||||||
|
|
||||||
#if ENABLE_SMACK
|
#if ENABLE_SMACK
|
||||||
static int setup_smack(
|
static int setup_smack(
|
||||||
|
const Manager *manager,
|
||||||
const ExecContext *context,
|
const ExecContext *context,
|
||||||
int executable_fd) {
|
int executable_fd) {
|
||||||
int r;
|
int r;
|
||||||
@ -3251,20 +3252,17 @@ static int setup_smack(
|
|||||||
r = mac_smack_apply_pid(0, context->smack_process_label);
|
r = mac_smack_apply_pid(0, context->smack_process_label);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
} else if (manager->default_smack_process_label) {
|
||||||
#ifdef SMACK_DEFAULT_PROCESS_LABEL
|
|
||||||
else {
|
|
||||||
_cleanup_free_ char *exec_label = NULL;
|
_cleanup_free_ char *exec_label = NULL;
|
||||||
|
|
||||||
r = mac_smack_read_fd(executable_fd, SMACK_ATTR_EXEC, &exec_label);
|
r = mac_smack_read_fd(executable_fd, SMACK_ATTR_EXEC, &exec_label);
|
||||||
if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
|
if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
|
r = mac_smack_apply_pid(0, exec_label ? : manager->default_smack_process_label);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -4853,7 +4851,7 @@ static int exec_child(
|
|||||||
/* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
|
/* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
|
||||||
* process. This is the latest place before dropping capabilities. Other MAC context are set later. */
|
* process. This is the latest place before dropping capabilities. Other MAC context are set later. */
|
||||||
if (use_smack) {
|
if (use_smack) {
|
||||||
r = setup_smack(context, executable_fd);
|
r = setup_smack(unit->manager, context, executable_fd);
|
||||||
if (r < 0 && !context->smack_process_label_ignore) {
|
if (r < 0 && !context->smack_process_label_ignore) {
|
||||||
*exit_status = EXIT_SMACK_PROCESS_LABEL;
|
*exit_status = EXIT_SMACK_PROCESS_LABEL;
|
||||||
return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
|
return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
|
||||||
|
@ -170,6 +170,7 @@ static void *arg_random_seed;
|
|||||||
static size_t arg_random_seed_size;
|
static size_t arg_random_seed_size;
|
||||||
static int arg_default_oom_score_adjust;
|
static int arg_default_oom_score_adjust;
|
||||||
static bool arg_default_oom_score_adjust_set;
|
static bool arg_default_oom_score_adjust_set;
|
||||||
|
static char *arg_default_smack_process_label;
|
||||||
|
|
||||||
/* A copy of the original environment block */
|
/* A copy of the original environment block */
|
||||||
static char **saved_env = NULL;
|
static char **saved_env = NULL;
|
||||||
@ -658,6 +659,11 @@ static int parse_config_file(void) {
|
|||||||
{ "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action },
|
{ "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action },
|
||||||
{ "Manager", "DefaultOOMPolicy", config_parse_oom_policy, 0, &arg_default_oom_policy },
|
{ "Manager", "DefaultOOMPolicy", config_parse_oom_policy, 0, &arg_default_oom_policy },
|
||||||
{ "Manager", "DefaultOOMScoreAdjust", config_parse_oom_score_adjust, 0, NULL },
|
{ "Manager", "DefaultOOMScoreAdjust", config_parse_oom_score_adjust, 0, NULL },
|
||||||
|
#if ENABLE_SMACK
|
||||||
|
{ "Manager", "DefaultSmackProcessLabel", config_parse_string, 0, &arg_default_smack_process_label },
|
||||||
|
#else
|
||||||
|
{ "Manager", "DefaultSmackProcessLabel", config_parse_warn_compat, DISABLED_CONFIGURATION, NULL },
|
||||||
|
#endif
|
||||||
{}
|
{}
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -731,6 +737,8 @@ static void set_manager_defaults(Manager *m) {
|
|||||||
m->default_oom_score_adjust_set = arg_default_oom_score_adjust_set;
|
m->default_oom_score_adjust_set = arg_default_oom_score_adjust_set;
|
||||||
m->default_oom_score_adjust = arg_default_oom_score_adjust;
|
m->default_oom_score_adjust = arg_default_oom_score_adjust;
|
||||||
|
|
||||||
|
(void) manager_set_default_smack_process_label(m, arg_default_smack_process_label);
|
||||||
|
|
||||||
(void) manager_set_default_rlimits(m, arg_default_rlimit);
|
(void) manager_set_default_rlimits(m, arg_default_rlimit);
|
||||||
|
|
||||||
(void) manager_default_environment(m);
|
(void) manager_default_environment(m);
|
||||||
@ -2421,6 +2429,7 @@ static void reset_arguments(void) {
|
|||||||
arg_clock_usec = 0;
|
arg_clock_usec = 0;
|
||||||
|
|
||||||
arg_default_oom_score_adjust_set = false;
|
arg_default_oom_score_adjust_set = false;
|
||||||
|
arg_default_smack_process_label = mfree(arg_default_smack_process_label);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void determine_default_oom_score_adjust(void) {
|
static void determine_default_oom_score_adjust(void) {
|
||||||
|
@ -1549,6 +1549,8 @@ Manager* manager_free(Manager *m) {
|
|||||||
free(m->switch_root);
|
free(m->switch_root);
|
||||||
free(m->switch_root_init);
|
free(m->switch_root_init);
|
||||||
|
|
||||||
|
free(m->default_smack_process_label);
|
||||||
|
|
||||||
rlimit_free_all(m->rlimit);
|
rlimit_free_all(m->rlimit);
|
||||||
|
|
||||||
assert(hashmap_isempty(m->units_requiring_mounts_for));
|
assert(hashmap_isempty(m->units_requiring_mounts_for));
|
||||||
@ -3880,6 +3882,19 @@ int manager_get_effective_environment(Manager *m, char ***ret) {
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int manager_set_default_smack_process_label(Manager *m, const char *label) {
|
||||||
|
assert(m);
|
||||||
|
|
||||||
|
#ifdef SMACK_DEFAULT_PROCESS_LABEL
|
||||||
|
if (!label)
|
||||||
|
return free_and_strdup(&m->default_smack_process_label, SMACK_DEFAULT_PROCESS_LABEL);
|
||||||
|
#endif
|
||||||
|
if (streq_ptr(label, "/"))
|
||||||
|
return free_and_strdup(&m->default_smack_process_label, NULL);
|
||||||
|
|
||||||
|
return free_and_strdup(&m->default_smack_process_label, label);
|
||||||
|
}
|
||||||
|
|
||||||
int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit) {
|
int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit) {
|
||||||
assert(m);
|
assert(m);
|
||||||
|
|
||||||
|
@ -457,6 +457,8 @@ struct Manager {
|
|||||||
|
|
||||||
/* Reference to RestrictFileSystems= BPF program */
|
/* Reference to RestrictFileSystems= BPF program */
|
||||||
struct restrict_fs_bpf *restrict_fs;
|
struct restrict_fs_bpf *restrict_fs;
|
||||||
|
|
||||||
|
char *default_smack_process_label;
|
||||||
};
|
};
|
||||||
|
|
||||||
static inline usec_t manager_default_timeout_abort_usec(Manager *m) {
|
static inline usec_t manager_default_timeout_abort_usec(Manager *m) {
|
||||||
@ -509,6 +511,8 @@ int manager_transient_environment_add(Manager *m, char **plus);
|
|||||||
int manager_client_environment_modify(Manager *m, char **minus, char **plus);
|
int manager_client_environment_modify(Manager *m, char **minus, char **plus);
|
||||||
int manager_get_effective_environment(Manager *m, char ***ret);
|
int manager_get_effective_environment(Manager *m, char ***ret);
|
||||||
|
|
||||||
|
int manager_set_default_smack_process_label(Manager *m, const char *label);
|
||||||
|
|
||||||
int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit);
|
int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit);
|
||||||
|
|
||||||
void manager_trigger_run_queue(Manager *m);
|
void manager_trigger_run_queue(Manager *m);
|
||||||
|
@ -74,3 +74,4 @@
|
|||||||
#DefaultLimitRTPRIO=
|
#DefaultLimitRTPRIO=
|
||||||
#DefaultLimitRTTIME=
|
#DefaultLimitRTTIME=
|
||||||
#DefaultOOMPolicy=stop
|
#DefaultOOMPolicy=stop
|
||||||
|
#DefaultSmackProcessLabel=
|
||||||
|
@ -47,3 +47,4 @@
|
|||||||
#DefaultLimitNICE=
|
#DefaultLimitNICE=
|
||||||
#DefaultLimitRTPRIO=
|
#DefaultLimitRTPRIO=
|
||||||
#DefaultLimitRTTIME=
|
#DefaultLimitRTTIME=
|
||||||
|
#DefaultSmackProcessLabel=
|
||||||
|
Loading…
Reference in New Issue
Block a user