details. Note that this setting has no effect on the OOM score adjustment value of the service
manager process itself, it retains the original value set during its invocation.</para></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><varname>DefaultSmackProcessLabel=</varname></term>
+
+ <listitem><para>Takes a <option>SMACK64</option> security label as the argument. The process executed
+ by a unit will be started under this label if <varname>SmackProcessLabel=</varname> is not set in the
+ unit. See <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for the details.</para>
+
+ <para>If the value is <literal>/</literal>, only labels specified with <varname>SmackProcessLabel=</varname>
+ are assigned and the compile-time default is ignored.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
conf.set_quoted('SMACK_RUN_LABEL', get_option('smack-run-label'))
endif
+have = get_option('smack') and get_option('smack-default-process-label') != ''
+if have
+ conf.set_quoted('SMACK_DEFAULT_PROCESS_LABEL', get_option('smack-default-process-label'))
+endif
+
want_polkit = get_option('polkit')
install_polkit = false
install_polkit_pkla = false
description : 'SMACK support')
option('smack-run-label', type : 'string',
description : 'run systemd --system itself with a specific SMACK label')
+option('smack-default-process-label', type : 'string',
+ description : 'default SMACK label for executed processes')
option('polkit', type : 'combo', choices : ['auto', 'true', 'false'],
description : 'polkit support')
option('ima', type : 'boolean',
#if ENABLE_SMACK
static int setup_smack(
+ const Manager *manager,
const ExecContext *context,
int executable_fd) {
int r;
r = mac_smack_apply_pid(0, context->smack_process_label);
if (r < 0)
return r;
- }
-#ifdef SMACK_DEFAULT_PROCESS_LABEL
- else {
+ } else if (manager->default_smack_process_label) {
_cleanup_free_ char *exec_label = NULL;
r = mac_smack_read_fd(executable_fd, SMACK_ATTR_EXEC, &exec_label);
if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
return r;
- r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
+ r = mac_smack_apply_pid(0, exec_label ? : manager->default_smack_process_label);
if (r < 0)
return r;
}
-#endif
return 0;
}
/* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
* process. This is the latest place before dropping capabilities. Other MAC context are set later. */
if (use_smack) {
- r = setup_smack(context, executable_fd);
+ r = setup_smack(unit->manager, context, executable_fd);
if (r < 0 && !context->smack_process_label_ignore) {
*exit_status = EXIT_SMACK_PROCESS_LABEL;
return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
static size_t arg_random_seed_size;
static int arg_default_oom_score_adjust;
static bool arg_default_oom_score_adjust_set;
+static char *arg_default_smack_process_label;
/* A copy of the original environment block */
static char **saved_env = NULL;
{ "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action },
{ "Manager", "DefaultOOMPolicy", config_parse_oom_policy, 0, &arg_default_oom_policy },
{ "Manager", "DefaultOOMScoreAdjust", config_parse_oom_score_adjust, 0, NULL },
+#if ENABLE_SMACK
+ { "Manager", "DefaultSmackProcessLabel", config_parse_string, 0, &arg_default_smack_process_label },
+#else
+ { "Manager", "DefaultSmackProcessLabel", config_parse_warn_compat, DISABLED_CONFIGURATION, NULL },
+#endif
{}
};
m->default_oom_score_adjust_set = arg_default_oom_score_adjust_set;
m->default_oom_score_adjust = arg_default_oom_score_adjust;
+ (void) manager_set_default_smack_process_label(m, arg_default_smack_process_label);
+
(void) manager_set_default_rlimits(m, arg_default_rlimit);
(void) manager_default_environment(m);
arg_clock_usec = 0;
arg_default_oom_score_adjust_set = false;
+ arg_default_smack_process_label = mfree(arg_default_smack_process_label);
}
static void determine_default_oom_score_adjust(void) {
free(m->switch_root);
free(m->switch_root_init);
+ free(m->default_smack_process_label);
+
rlimit_free_all(m->rlimit);
assert(hashmap_isempty(m->units_requiring_mounts_for));
return 0;
}
+int manager_set_default_smack_process_label(Manager *m, const char *label) {
+ assert(m);
+
+#ifdef SMACK_DEFAULT_PROCESS_LABEL
+ if (!label)
+ return free_and_strdup(&m->default_smack_process_label, SMACK_DEFAULT_PROCESS_LABEL);
+#endif
+ if (streq_ptr(label, "/"))
+ return free_and_strdup(&m->default_smack_process_label, NULL);
+
+ return free_and_strdup(&m->default_smack_process_label, label);
+}
+
int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit) {
assert(m);
/* Reference to RestrictFileSystems= BPF program */
struct restrict_fs_bpf *restrict_fs;
+
+ char *default_smack_process_label;
};
static inline usec_t manager_default_timeout_abort_usec(Manager *m) {
int manager_client_environment_modify(Manager *m, char **minus, char **plus);
int manager_get_effective_environment(Manager *m, char ***ret);
+int manager_set_default_smack_process_label(Manager *m, const char *label);
+
int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit);
void manager_trigger_run_queue(Manager *m);
#DefaultLimitRTPRIO=
#DefaultLimitRTTIME=
#DefaultOOMPolicy=stop
+#DefaultSmackProcessLabel=
#DefaultLimitNICE=
#DefaultLimitRTPRIO=
#DefaultLimitRTTIME=
+#DefaultSmackProcessLabel=
projects / thirdparty / systemd.git / commitdiff
