From 37ac2744ccc4c1ab7c854cebfbf8e086925f6540 Mon Sep 17 00:00:00 2001
From: jobol <jobol@nonadev.net>
Date: Tue, 21 Nov 2017 12:01:13 +0100
Subject: [PATCH] core/exec: Restore SmackProcessLabel setting (#7378)

Smack LSM needs the capability CAP_MAC_ADMIN to allow
setting of the current Smack exec label. Consequently,
dropping capabilities must be done after changing the
current exec label.

This is only related to Smack LSM. But for clarity and
regularity, all setting of security context moved before
dropping capabilities.

See Issue 7108
---
 src/core/execute.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/src/core/execute.c b/src/core/execute.c
index 4d19efb719..9bdcb1abbf 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3205,6 +3205,18 @@ static int exec_child(
                         }
                 }
 
+#if ENABLE_SMACK
+                /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
+                 * process. This is the latest place before dropping capabilities. Other MAC context are set later. */
+                if (use_smack) {
+                        r = setup_smack(context, command);
+                        if (r < 0) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
+                        }
+                }
+#endif
+
                 bset = context->capability_bounding_set;
                 /* If the ambient caps hack is enabled (which means the kernel can't do them, and the user asked for
                  * our magic fallback), then let's add some extra caps, so that the service can drop privs of its own,
@@ -3265,7 +3277,7 @@ static int exec_child(
         }
 
         if (needs_sandboxing) {
-                /* Apply the MAC contexts late, but before seccomp syscall filtering, as those should really be last to
+                /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
                  * influence our own codepaths as little as possible. Moreover, applying MAC contexts usually requires
                  * syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
                  * are restricted. */
@@ -3284,16 +3296,6 @@ static int exec_child(
                 }
 #endif
 
-#if ENABLE_SMACK
-                if (use_smack) {
-                        r = setup_smack(context, command);
-                        if (r < 0) {
-                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
-                                return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
-                        }
-                }
-#endif
-
 #if HAVE_APPARMOR
                 if (use_apparmor && context->apparmor_profile) {
                         r = aa_change_onexec(context->apparmor_profile);