aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosé Bollo <jose.bollo@iot.bzh>2017-10-12 22:56:13 +0200
committerJosé Bollo <jose.bollo@iot.bzh>2018-02-13 11:02:00 +0100
commitd66aadf0e51739cd13ebe3eb9c491e743ef1358d (patch)
tree6a04997644cf0919cb9bf1f837701f6569bfe445
parent98637b7b01106de98aacc2b531f92c0883b381ee (diff)
systemd: earlier smack label switch
This patch was submitted and accepted upstream. It allows systemd to set the smack label of the executed process. See https://github.com/systemd/systemd/pull/7378 Bug-AGL: SPEC-1014 Change-Id: Ia9c437cdaf1fea95ae048e2be5067d6fe218693f Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-rw-r--r--meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch52
-rw-r--r--meta-agl/recipes-core/systemd/systemd_234.bbappend6
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch b/meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch
new file mode 100644
index 000000000..46445be73
--- /dev/null
+++ b/meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch
@@ -0,0 +1,52 @@
+From 6cc74075797edb6f698cb7f312bb1c3d8cc6cb28 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 12 Oct 2017 17:17:56 +0200
+Subject: [PATCH] Switch Smack label earlier
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Switching label after removing capability isn't
+possible.
+
+Change-Id: Ib7dac8f071f36119520ed3205d743c1e3df3cd5e
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/core/execute.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index d72e5bf08..0abffd569 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -2707,6 +2707,13 @@ static int exec_child(
+ }
+ }
+
++ r = setup_smack(context, command);
++ if (r < 0) {
++ *exit_status = EXIT_SMACK_PROCESS_LABEL;
++ *error_message = strdup("Failed to set SMACK process label");
++ return r;
++ }
++
+ if (!cap_test_all(context->capability_bounding_set)) {
+ r = capability_bounding_set_drop(context->capability_bounding_set, false);
+ if (r < 0) {
+@@ -2775,13 +2782,6 @@ static int exec_child(
+ }
+ #endif
+
+- r = setup_smack(context, command);
+- if (r < 0) {
+- *exit_status = EXIT_SMACK_PROCESS_LABEL;
+- *error_message = strdup("Failed to set SMACK process label");
+- return r;
+- }
+-
+ #ifdef HAVE_APPARMOR
+ if (context->apparmor_profile && mac_apparmor_use()) {
+ r = aa_change_onexec(context->apparmor_profile);
+--
+2.14.3
+
diff --git a/meta-agl/recipes-core/systemd/systemd_234.bbappend b/meta-agl/recipes-core/systemd/systemd_234.bbappend
new file mode 100644
index 000000000..4df7684d0
--- /dev/null
+++ b/meta-agl/recipes-core/systemd/systemd_234.bbappend
@@ -0,0 +1,6 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "\
+ file://0001-Switch-Smack-label-earlier.patch \
+"
+