From aa5ae9711ef3cd0c69b7fcfbd65bca05fb704a8a Mon Sep 17 00:00:00 2001
From: =?utf8?q?=C5=81ukasz=20Stelmach?= <l.stelmach@samsung.com>
Date: Wed, 6 Jul 2022 13:09:51 +0200
Subject: [PATCH] smack: Add DefaultSmackProcessLabel to user.conf and
 system.conf

DefaultSmackProcessLabel tells systemd what label to assign to its child
process in case SmackProcessLabel is not set in the service file. By
default, when DefaultSmackProcessLabel is not set child processes inherit
label from systemd.

If DefaultSmackProcessLabel is set to "/" (which is an invalid character
for a SMACK label) the DEFAULT_SMACK_PROCESS_LABEL set during compilation
is ignored and systemd act as if the option was unset.
---
 man/systemd-system.conf.xml | 12 ++++++++++++
 meson.build                 |  5 +++++
 meson_options.txt           |  2 ++
 src/core/execute.c          | 10 ++++------
 src/core/main.c             |  9 +++++++++
 src/core/manager.c          | 15 +++++++++++++++
 src/core/manager.h          |  4 ++++
 src/core/system.conf.in     |  1 +
 src/core/user.conf.in       |  1 +
 9 files changed, 53 insertions(+), 6 deletions(-)

diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index 3fe2cbfdea0..ef311f1971f 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -525,6 +525,18 @@
         details. Note that this setting has no effect on the OOM score adjustment value of the service
         manager process itself, it retains the original value set during its invocation.</para></listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>DefaultSmackProcessLabel=</varname></term>
+
+        <listitem><para>Takes a <option>SMACK64</option> security label as the argument. The process executed
+        by a unit will be started under this label if <varname>SmackProcessLabel=</varname> is not set in the
+        unit. See <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        for the details.</para>
+
+        <para>If the value is <literal>/</literal>, only labels specified with <varname>SmackProcessLabel=</varname>
+        are assigned and the compile-time default is ignored.</para></listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
diff --git a/meson.build b/meson.build
index 7db7e5ea1d9..b4fd3692413 100644
--- a/meson.build
+++ b/meson.build
@@ -1167,6 +1167,11 @@ if have
         conf.set_quoted('SMACK_RUN_LABEL', get_option('smack-run-label'))
 endif
 
+have = get_option('smack') and get_option('smack-default-process-label') != ''
+if have
+        conf.set_quoted('SMACK_DEFAULT_PROCESS_LABEL', get_option('smack-default-process-label'))
+endif
+
 want_polkit = get_option('polkit')
 install_polkit = false
 install_polkit_pkla = false
diff --git a/meson_options.txt b/meson_options.txt
index adaedf3ce80..628ca1d797c 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -352,6 +352,8 @@ option('smack', type : 'boolean',
        description : 'SMACK support')
 option('smack-run-label', type : 'string',
        description : 'run systemd --system itself with a specific SMACK label')
+option('smack-default-process-label', type : 'string',
+       description : 'default SMACK label for executed processes')
 option('polkit', type : 'combo', choices : ['auto', 'true', 'false'],
        description : 'polkit support')
 option('ima', type : 'boolean',
diff --git a/src/core/execute.c b/src/core/execute.c
index 3be219fe1c9..64b290d3e79 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3240,6 +3240,7 @@ static int setup_credentials(
 
 #if ENABLE_SMACK
 static int setup_smack(
+                const Manager *manager,
                 const ExecContext *context,
                 int executable_fd) {
         int r;
@@ -3251,20 +3252,17 @@ static int setup_smack(
                 r = mac_smack_apply_pid(0, context->smack_process_label);
                 if (r < 0)
                         return r;
-        }
-#ifdef SMACK_DEFAULT_PROCESS_LABEL
-        else {
+        } else if (manager->default_smack_process_label) {
                 _cleanup_free_ char *exec_label = NULL;
 
                 r = mac_smack_read_fd(executable_fd, SMACK_ATTR_EXEC, &exec_label);
                 if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
                         return r;
 
-                r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
+                r = mac_smack_apply_pid(0, exec_label ? : manager->default_smack_process_label);
                 if (r < 0)
                         return r;
         }
-#endif
 
         return 0;
 }
@@ -4853,7 +4851,7 @@ static int exec_child(
                 /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
                  * process. This is the latest place before dropping capabilities. Other MAC context are set later. */
                 if (use_smack) {
-                        r = setup_smack(context, executable_fd);
+                        r = setup_smack(unit->manager, context, executable_fd);
                         if (r < 0 && !context->smack_process_label_ignore) {
                                 *exit_status = EXIT_SMACK_PROCESS_LABEL;
                                 return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
diff --git a/src/core/main.c b/src/core/main.c
index aee66051db8..72d86d3efd0 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -170,6 +170,7 @@ static void *arg_random_seed;
 static size_t arg_random_seed_size;
 static int arg_default_oom_score_adjust;
 static bool arg_default_oom_score_adjust_set;
+static char *arg_default_smack_process_label;
 
 /* A copy of the original environment block */
 static char **saved_env = NULL;
@@ -658,6 +659,11 @@ static int parse_config_file(void) {
                 { "Manager", "CtrlAltDelBurstAction",        config_parse_emergency_action,      0,                        &arg_cad_burst_action             },
                 { "Manager", "DefaultOOMPolicy",             config_parse_oom_policy,            0,                        &arg_default_oom_policy           },
                 { "Manager", "DefaultOOMScoreAdjust",        config_parse_oom_score_adjust,      0,                        NULL                              },
+#if ENABLE_SMACK
+                { "Manager", "DefaultSmackProcessLabel",     config_parse_string,                0,                        &arg_default_smack_process_label  },
+#else
+                { "Manager", "DefaultSmackProcessLabel",     config_parse_warn_compat,           DISABLED_CONFIGURATION,   NULL                              },
+#endif
                 {}
         };
 
@@ -731,6 +737,8 @@ static void set_manager_defaults(Manager *m) {
         m->default_oom_score_adjust_set = arg_default_oom_score_adjust_set;
         m->default_oom_score_adjust = arg_default_oom_score_adjust;
 
+        (void) manager_set_default_smack_process_label(m, arg_default_smack_process_label);
+
         (void) manager_set_default_rlimits(m, arg_default_rlimit);
 
         (void) manager_default_environment(m);
@@ -2421,6 +2429,7 @@ static void reset_arguments(void) {
         arg_clock_usec = 0;
 
         arg_default_oom_score_adjust_set = false;
+        arg_default_smack_process_label = mfree(arg_default_smack_process_label);
 }
 
 static void determine_default_oom_score_adjust(void) {
diff --git a/src/core/manager.c b/src/core/manager.c
index c7598b1e2af..e7e077dcf0e 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -1549,6 +1549,8 @@ Manager* manager_free(Manager *m) {
         free(m->switch_root);
         free(m->switch_root_init);
 
+        free(m->default_smack_process_label);
+
         rlimit_free_all(m->rlimit);
 
         assert(hashmap_isempty(m->units_requiring_mounts_for));
@@ -3880,6 +3882,19 @@ int manager_get_effective_environment(Manager *m, char ***ret) {
         return 0;
 }
 
+int manager_set_default_smack_process_label(Manager *m, const char *label) {
+        assert(m);
+
+#ifdef SMACK_DEFAULT_PROCESS_LABEL
+        if (!label)
+                return free_and_strdup(&m->default_smack_process_label, SMACK_DEFAULT_PROCESS_LABEL);
+#endif
+        if (streq_ptr(label, "/"))
+                return free_and_strdup(&m->default_smack_process_label, NULL);
+
+        return free_and_strdup(&m->default_smack_process_label, label);
+}
+
 int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit) {
         assert(m);
 
diff --git a/src/core/manager.h b/src/core/manager.h
index fd5da52b7f9..63cff7989d4 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -457,6 +457,8 @@ struct Manager {
 
         /* Reference to RestrictFileSystems= BPF program */
         struct restrict_fs_bpf *restrict_fs;
+
+        char *default_smack_process_label;
 };
 
 static inline usec_t manager_default_timeout_abort_usec(Manager *m) {
@@ -509,6 +511,8 @@ int manager_transient_environment_add(Manager *m, char **plus);
 int manager_client_environment_modify(Manager *m, char **minus, char **plus);
 int manager_get_effective_environment(Manager *m, char ***ret);
 
+int manager_set_default_smack_process_label(Manager *m, const char *label);
+
 int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit);
 
 void manager_trigger_run_queue(Manager *m);
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 67e55f10a29..ae1b47b2ba3 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -74,3 +74,4 @@
 #DefaultLimitRTPRIO=
 #DefaultLimitRTTIME=
 #DefaultOOMPolicy=stop
+#DefaultSmackProcessLabel=
diff --git a/src/core/user.conf.in b/src/core/user.conf.in
index e0a7703525c..c29068828cb 100644
--- a/src/core/user.conf.in
+++ b/src/core/user.conf.in
@@ -47,3 +47,4 @@
 #DefaultLimitNICE=
 #DefaultLimitRTPRIO=
 #DefaultLimitRTTIME=
+#DefaultSmackProcessLabel=
-- 
2.39.2