Merge pull request #1357 from again4you/devel/fix_smack_sd_pam_#2

exec: fix the wrong SMACK labeling of (sd-pam) daemon v3
2025-01-26 14:04:03 +03:00 · 2015-09-23 16:44:21 +02:00 · 2015-09-23 16:44:21 +02:00 · adf344b0ed
commit adf344b0ed
parent f795eec68f b213e1c11d
1 changed files with 36 additions and 38 deletions
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -1582,25 +1582,50 @@ static int exec_child(
                }
        }

+        umask(context->umask);
+
        if (params->apply_permissions) {
                r = enforce_groups(context, username, gid);
                if (r < 0) {
                        *exit_status = EXIT_GROUP;
                        return r;
                }
-        }
-
-        umask(context->umask);
-
-#ifdef HAVE_PAM
-        if (params->apply_permissions && context->pam_name && username) {
-                r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
-                if (r < 0) {
-                        *exit_status = EXIT_PAM;
-                        return r;
+#ifdef HAVE_SMACK
+                if (context->smack_process_label) {
+                        r = mac_smack_apply_pid(0, context->smack_process_label);
+                        if (r < 0) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return r;
+                        }
+                }
+#ifdef SMACK_DEFAULT_PROCESS_LABEL
+                else {
+                        _cleanup_free_ char *exec_label = NULL;
+
+                        r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
+                        if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return r;
+                        }
+
+                        r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
+                        if (r < 0) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return r;
+                        }
                }
-        }
 #endif
+#endif
+#ifdef HAVE_PAM
+                if (context->pam_name && username) {
+                        r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds);
+                        if (r < 0) {
+                                *exit_status = EXIT_PAM;
+                                return r;
+                        }
+                }
+#endif
+        }

        if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) {
                r = setup_netns(runtime->netns_storage_socket);
@ -1729,33 +1754,6 @@ static int exec_child(
                        }
                }

-#ifdef HAVE_SMACK
-                if (context->smack_process_label) {
-                        r = mac_smack_apply_pid(0, context->smack_process_label);
-                        if (r < 0) {
-                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
-                                return r;
-                        }
-                }
-#ifdef SMACK_DEFAULT_PROCESS_LABEL
-                else {
-                        _cleanup_free_ char *exec_label = NULL;
-
-                        r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
-                        if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
-                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
-                                return r;
-                        }
-
-                        r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
-                        if (r < 0) {
-                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
-                                return r;
-                        }
-                }
-#endif
-#endif
-
                if (context->user) {
                        r = enforce_user(context, uid);
                        if (r < 0) {