diff --git a/src/core/execute.c b/src/core/execute.c index 4d19efb719..9bdcb1abbf 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3205,6 +3205,18 @@ static int exec_child( } } +#if ENABLE_SMACK + /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the + * process. This is the latest place before dropping capabilities. Other MAC context are set later. */ + if (use_smack) { + r = setup_smack(context, command); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m"); + } + } +#endif + bset = context->capability_bounding_set; /* If the ambient caps hack is enabled (which means the kernel can't do them, and the user asked for * our magic fallback), then let's add some extra caps, so that the service can drop privs of its own, @@ -3265,7 +3277,7 @@ static int exec_child( } if (needs_sandboxing) { - /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to + /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls * are restricted. */ @@ -3284,16 +3296,6 @@ static int exec_child( } #endif -#if ENABLE_SMACK - if (use_smack) { - r = setup_smack(context, command); - if (r < 0) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m"); - } - } -#endif - #if HAVE_APPARMOR if (use_apparmor && context->apparmor_profile) { r = aa_change_onexec(context->apparmor_profile);