smack: label /etc/passwd and friends as '_' smack label when --with-smack-run-label' is enabled

systemd-sysusers.service unit creates system users and groups and it could update /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow. Those files should have '_' smack label because of accessibility. However, if systemd has its own smack label using '--with-smack-run-label' configuration, systemd-sysusers process spawned by systemd(pid:1) has its parent smack label and eventually updated files also is set as its parent smack label. This patch fixes that bug by labeling updated files as '_' smack label when --with-smack-run-label' is enabled.
2015-10-06 19:08:16 +09:00 · 2015-10-06 19:08:16 +09:00 · c02e7b1ecc
parent 69b8a8ebae
commit c02e7b1ecc
3 changed files with 25 additions and 15 deletions
--- a/src/basic/smack-util.c
+++ b/src/basic/smack-util.c
@ -29,9 +29,6 @@
 #include "fileio.h"
 #include "smack-util.h"

-#define SMACK_FLOOR_LABEL "_"
-#define SMACK_STAR_LABEL  "*"
-
 #ifdef HAVE_SMACK
 bool mac_smack_use(void) {
        static int cached_use = -1;
--- a/src/basic/smack-util.h
+++ b/src/basic/smack-util.h
@ -27,6 +27,9 @@

 #include "macro.h"

+#define SMACK_FLOOR_LABEL "_"
+#define SMACK_STAR_LABEL  "*"
+
 typedef enum SmackAttr {
        SMACK_ATTR_ACCESS = 0,
        SMACK_ATTR_EXEC = 1,
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@ -38,6 +38,7 @@
 #include "uid-range.h"
 #include "utf8.h"
 #include "util.h"
+#include "smack-util.h"

 typedef enum ItemType {
        ADD_USER = 'u',
@ -352,6 +353,19 @@ static int sync_rights(FILE *from, FILE *to) {
        return 0;
 }

+static int rename_and_apply_smack(const char *temp_path, const char *dest_path) {
+        int r = 0;
+        if (rename(temp_path, dest_path) < 0)
+                return -errno;
+
+#ifdef SMACK_RUN_LABEL
+        r = mac_smack_apply(dest_path, SMACK_ATTR_ACCESS, SMACK_FLOOR_LABEL);
+        if (r < 0)
+                return r;
+#endif
+        return r;
+}
+
 static int write_files(void) {

        _cleanup_fclose_ FILE *passwd = NULL, *group = NULL, *shadow = NULL, *gshadow = NULL;
@ -698,36 +712,32 @@ static int write_files(void) {
        /* And make the new files count */
        if (group_changed) {
                if (group) {
-                        if (rename(group_tmp, group_path) < 0) {
-                                r = -errno;
+                        r = rename_and_apply_smack(group_tmp, group_path);
+                        if (r < 0)
                                goto finish;
-                        }

                        group_tmp = mfree(group_tmp);
                }
                if (gshadow) {
-                        if (rename(gshadow_tmp, gshadow_path) < 0) {
-                                r = -errno;
+                        r = rename_and_apply_smack(gshadow_tmp, gshadow_path);
+                        if (r < 0)
                                goto finish;
-                        }

                        gshadow_tmp = mfree(gshadow_tmp);
                }
        }

        if (passwd) {
-                if (rename(passwd_tmp, passwd_path) < 0) {
-                        r = -errno;
+                r = rename_and_apply_smack(passwd_tmp, passwd_path);
+                if (r < 0)
                        goto finish;
-                }

                passwd_tmp = mfree(passwd_tmp);
        }
        if (shadow) {
-                if (rename(shadow_tmp, shadow_path) < 0) {
-                        r = -errno;
+                r = rename_and_apply_smack(shadow_tmp, shadow_path);
+                if (r < 0)
                        goto finish;
-                }

                shadow_tmp = mfree(shadow_tmp);
        }