From: WaLyong Cho <walyong.cho@samsung.com>
Date: Mon, 27 Jul 2015 17:55:35 +0000 (+0900)
Subject: core: set default process label only exec label is none
X-Git-Tag: v225~117^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F860%2Fhead;p=thirdparty%2Fsystemd.git

core: set default process label only exec label is none

When command path has access label and no SmackProcessLabel= is not
set, default process label will be set. But if the default process
label has no rule for the access label of the command path then smack
access error will be occurred.
So, if the command path has execute label then the child have to set
its label to the same of execute label of command path instead of
default process label.
---

diff --git a/src/core/execute.c b/src/core/execute.c
index 21721dc2407..f14ae4d8a6d 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1719,7 +1719,15 @@ static int exec_child(
                 }
 #ifdef SMACK_DEFAULT_PROCESS_LABEL
                 else {
-                        r = mac_smack_apply_pid(0, SMACK_DEFAULT_PROCESS_LABEL);
+                        _cleanup_free_ char *exec_label = NULL;
+
+                        r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
+                        if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return r;
+                        }
+
+                        r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
                         if (r < 0) {
                                 *exit_status = EXIT_SMACK_PROCESS_LABEL;
                                 return r;