core/exec: Restore SmackProcessLabel setting (#7378)

Smack LSM needs the capability CAP_MAC_ADMIN to allow setting of the current Smack exec label. Consequently, dropping capabilities must be done after changing the current exec label. This is only related to Smack LSM. But for clarity and regularity, all setting of security context moved before dropping capabilities. See Issue 7108
2017-11-21 12:01:13 +01:00 · 2017-11-21 12:01:13 +01:00 · 37ac2744cc
parent 54c552eae6
commit 37ac2744cc
1 changed files with 13 additions and 11 deletions
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -3205,6 +3205,18 @@ static int exec_child(
                        }
                }

+#if ENABLE_SMACK
+                /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
+                 * process. This is the latest place before dropping capabilities. Other MAC context are set later. */
+                if (use_smack) {
+                        r = setup_smack(context, command);
+                        if (r < 0) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
+                        }
+                }
+#endif
+
                bset = context->capability_bounding_set;
                /* If the ambient caps hack is enabled (which means the kernel can't do them, and the user asked for
                 * our magic fallback), then let's add some extra caps, so that the service can drop privs of its own,
@ -3265,7 +3277,7 @@ static int exec_child(
        }

        if (needs_sandboxing) {
-                /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
+                /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
                 * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
                 * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
                 * are restricted. */
@ -3284,16 +3296,6 @@ static int exec_child(
                }
 #endif

-#if ENABLE_SMACK
-                if (use_smack) {
-                        r = setup_smack(context, command);
-                        if (r < 0) {
-                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
-                                return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
-                        }
-                }
-#endif
-
 #if HAVE_APPARMOR
                if (use_apparmor && context->apparmor_profile) {
                        r = aa_change_onexec(context->apparmor_profile);