On Tue, 04.11.14 17:35, WaLyong Cho (walyong....@samsung.com) wrote: > In case of systemd has "_" label and run as root, if a service file > has "User=" option and the command line file has a special SMACK label > then systemd will fail to execute the command. Generally, SMACK label > is ignored for the root. But if a service has a "User=" then systemd > will call setresuid() in the child process. After then it no more > root. So it should have some of executable label for the command. To > set the SMACK64EXEC before the uid is changed introduce new > SmackLabelExec option.
Hmm, I am not sure I like the abbreviation of this. Can't we just call this "SmackLabel="? > +#ifdef HAVE_SMACK > +#include "smack-util.h" > +#endif > + ifdeffing the include is unnecessary. YOu can just include it without ifdef protectionn, there's nothing in it that we need to avoid pullin in. > > #define SMACK_FLOOR_LABEL "_" > @@ -123,6 +124,31 @@ int mac_smack_apply_ip_in_fd(int fd, const char *label) { > return r; > } > > +int mac_smack_apply_pid(pid_t pid, const char *label) { > + int r = 0; > + _cleanup_free_ char *path = NULL; > + > + assert(label); > + > +#ifdef HAVE_SMACK > + if (!mac_smack_use()) > + return 0; > + > + if (pid) > + r = asprintf(&path, "/proc/%lu/attr/current", (unsigned > long) pid); > + else > + r = asprintf(&path, "/proc/self/attr/current"); > + if (r < 0) > + return -ENOMEM; Please use procfs_file_alloca() for this. It makes this much nicer! Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel