smack: add default smack process label config

Similar to SmackProcessLabel=, if this configuration is set, systemd
executes processes with given SMACK label. If unit has
SmackProcessLabel=, this config is overwritten.
But, do NOT be confused with SMACK64EXEC of execute file. This default
execute process label(and also label which is set by
SmackProcessLabel=) is set fork-ed process SMACK subject label and
used to access the execute file.
If the execution file has also SMACK64EXEC, finally executed process
has SMACK64EXEC subject.
While if the execution file has no SMACK64EXEC, the executed process
has label of this config(or label which is set by
SmackProcessLabel=). Because if execution file has no SMACK64EXEC then
excuted process inherits label from caller process(in this case, the
caller is systemd).

diff --git a/configure.ac b/configure.ac
index 8b1e275d27395a0bcbf362c468bd869ff7ac5b52..88b52c45fe18053d6d9394fc2d64d451c9a95420 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -673,8 +673,14 @@ fi
 
 AC_ARG_WITH(smack-run-label,
 AS_HELP_STRING([--with-smack-run-label=STRING],
-        [run systemd --system with a specific SMACK label]),
-        [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run with a smack label])],
+        [run systemd --system itself with a specific SMACK label]),
+        [AC_DEFINE_UNQUOTED(SMACK_RUN_LABEL, ["$withval"], [Run systemd itself with SMACK label])],
+        [])
+
+AC_ARG_WITH(smack-default-process-label,
+AS_HELP_STRING([--with-smack-default-process-label=STRING],
+        [default SMACK label for executed processes]),
+        [AC_DEFINE_UNQUOTED(SMACK_DEFAULT_PROCESS_LABEL, ["$withval"], [Default SMACK label for executed processes])],
         [])
 
 if test "x${have_smack}" = xyes ; then

diff --git a/src/core/execute.c b/src/core/execute.c
index 94cc10173825df7a56101030b162cd9248be438e..c92db51330c5965c10ec111832ef3c63b61584fb 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1717,6 +1717,15 @@ static int exec_child(
                                 return r;
                         }
                 }
+#ifdef SMACK_DEFAULT_PROCESS_LABEL
+                else {
+                        r = mac_smack_apply_pid(0, SMACK_DEFAULT_PROCESS_LABEL);
+                        if (r < 0) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return r;
+                        }
+                }
+#endif
 #endif
 
                 if (context->user) {