diff options
author | José Bollo <jose.bollo@iot.bzh> | 2017-10-12 22:56:13 +0200 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2018-02-13 11:02:00 +0100 |
commit | d66aadf0e51739cd13ebe3eb9c491e743ef1358d (patch) | |
tree | 6a04997644cf0919cb9bf1f837701f6569bfe445 | |
parent | 98637b7b01106de98aacc2b531f92c0883b381ee (diff) |
systemd: earlier smack label switch
This patch was submitted and accepted upstream.
It allows systemd to set the smack label of the
executed process.
See https://github.com/systemd/systemd/pull/7378
Bug-AGL: SPEC-1014
Change-Id: Ia9c437cdaf1fea95ae048e2be5067d6fe218693f
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-rw-r--r-- | meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch | 52 | ||||
-rw-r--r-- | meta-agl/recipes-core/systemd/systemd_234.bbappend | 6 |
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch b/meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch new file mode 100644 index 000000000..46445be73 --- /dev/null +++ b/meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch @@ -0,0 +1,52 @@ +From 6cc74075797edb6f698cb7f312bb1c3d8cc6cb28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 12 Oct 2017 17:17:56 +0200 +Subject: [PATCH] Switch Smack label earlier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Switching label after removing capability isn't +possible. + +Change-Id: Ib7dac8f071f36119520ed3205d743c1e3df3cd5e +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + src/core/execute.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index d72e5bf08..0abffd569 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -2707,6 +2707,13 @@ static int exec_child( + } + } + ++ r = setup_smack(context, command); ++ if (r < 0) { ++ *exit_status = EXIT_SMACK_PROCESS_LABEL; ++ *error_message = strdup("Failed to set SMACK process label"); ++ return r; ++ } ++ + if (!cap_test_all(context->capability_bounding_set)) { + r = capability_bounding_set_drop(context->capability_bounding_set, false); + if (r < 0) { +@@ -2775,13 +2782,6 @@ static int exec_child( + } + #endif + +- r = setup_smack(context, command); +- if (r < 0) { +- *exit_status = EXIT_SMACK_PROCESS_LABEL; +- *error_message = strdup("Failed to set SMACK process label"); +- return r; +- } +- + #ifdef HAVE_APPARMOR + if (context->apparmor_profile && mac_apparmor_use()) { + r = aa_change_onexec(context->apparmor_profile); +-- +2.14.3 + diff --git a/meta-agl/recipes-core/systemd/systemd_234.bbappend b/meta-agl/recipes-core/systemd/systemd_234.bbappend new file mode 100644 index 000000000..4df7684d0 --- /dev/null +++ b/meta-agl/recipes-core/systemd/systemd_234.bbappend @@ -0,0 +1,6 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += "\ + file://0001-Switch-Smack-label-earlier.patch \ +" + |