}
}
+#if ENABLE_SMACK
+ /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
+ * process. This is the latest place before dropping capabilities. Other MAC context are set later. */
+ if (use_smack) {
+ r = setup_smack(context, command);
+ if (r < 0) {
+ *exit_status = EXIT_SMACK_PROCESS_LABEL;
+ return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
+ }
+ }
+#endif
+
bset = context->capability_bounding_set;
/* If the ambient caps hack is enabled (which means the kernel can't do them, and the user asked for
* our magic fallback), then let's add some extra caps, so that the service can drop privs of its own,
}
if (needs_sandboxing) {
- /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
+ /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
* influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
* syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
* are restricted. */
}
#endif
-#if ENABLE_SMACK
- if (use_smack) {
- r = setup_smack(context, command);
- if (r < 0) {
- *exit_status = EXIT_SMACK_PROCESS_LABEL;
- return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
- }
- }
-#endif
-
#if HAVE_APPARMOR
if (use_apparmor && context->apparmor_profile) {
r = aa_change_onexec(context->apparmor_profile);
projects / thirdparty / systemd.git / commitdiff
