smack: label /etc/passwd and friends as '_' smack label when --with-smack-run-label' is enabled
systemd-sysusers.service unit creates system users and groups and it could update /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow. Those files should have '_' smack label because of accessibility. However, if systemd has its own smack label using '--with-smack-run-label' configuration, systemd-sysusers process spawned by systemd(pid:1) has its parent smack label and eventually updated files also is set as its parent smack label. This patch fixes that bug by labeling updated files as '_' smack label when --with-smack-run-label' is enabled.
This commit is contained in:
parent
69b8a8ebae
commit
c02e7b1ecc
|
@ -29,9 +29,6 @@
|
|||
#include "fileio.h"
|
||||
#include "smack-util.h"
|
||||
|
||||
#define SMACK_FLOOR_LABEL "_"
|
||||
#define SMACK_STAR_LABEL "*"
|
||||
|
||||
#ifdef HAVE_SMACK
|
||||
bool mac_smack_use(void) {
|
||||
static int cached_use = -1;
|
||||
|
|
|
@ -27,6 +27,9 @@
|
|||
|
||||
#include "macro.h"
|
||||
|
||||
#define SMACK_FLOOR_LABEL "_"
|
||||
#define SMACK_STAR_LABEL "*"
|
||||
|
||||
typedef enum SmackAttr {
|
||||
SMACK_ATTR_ACCESS = 0,
|
||||
SMACK_ATTR_EXEC = 1,
|
||||
|
|
|
@ -38,6 +38,7 @@
|
|||
#include "uid-range.h"
|
||||
#include "utf8.h"
|
||||
#include "util.h"
|
||||
#include "smack-util.h"
|
||||
|
||||
typedef enum ItemType {
|
||||
ADD_USER = 'u',
|
||||
|
@ -352,6 +353,19 @@ static int sync_rights(FILE *from, FILE *to) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int rename_and_apply_smack(const char *temp_path, const char *dest_path) {
|
||||
int r = 0;
|
||||
if (rename(temp_path, dest_path) < 0)
|
||||
return -errno;
|
||||
|
||||
#ifdef SMACK_RUN_LABEL
|
||||
r = mac_smack_apply(dest_path, SMACK_ATTR_ACCESS, SMACK_FLOOR_LABEL);
|
||||
if (r < 0)
|
||||
return r;
|
||||
#endif
|
||||
return r;
|
||||
}
|
||||
|
||||
static int write_files(void) {
|
||||
|
||||
_cleanup_fclose_ FILE *passwd = NULL, *group = NULL, *shadow = NULL, *gshadow = NULL;
|
||||
|
@ -698,36 +712,32 @@ static int write_files(void) {
|
|||
/* And make the new files count */
|
||||
if (group_changed) {
|
||||
if (group) {
|
||||
if (rename(group_tmp, group_path) < 0) {
|
||||
r = -errno;
|
||||
r = rename_and_apply_smack(group_tmp, group_path);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
}
|
||||
|
||||
group_tmp = mfree(group_tmp);
|
||||
}
|
||||
if (gshadow) {
|
||||
if (rename(gshadow_tmp, gshadow_path) < 0) {
|
||||
r = -errno;
|
||||
r = rename_and_apply_smack(gshadow_tmp, gshadow_path);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
}
|
||||
|
||||
gshadow_tmp = mfree(gshadow_tmp);
|
||||
}
|
||||
}
|
||||
|
||||
if (passwd) {
|
||||
if (rename(passwd_tmp, passwd_path) < 0) {
|
||||
r = -errno;
|
||||
r = rename_and_apply_smack(passwd_tmp, passwd_path);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
}
|
||||
|
||||
passwd_tmp = mfree(passwd_tmp);
|
||||
}
|
||||
if (shadow) {
|
||||
if (rename(shadow_tmp, shadow_path) < 0) {
|
||||
r = -errno;
|
||||
r = rename_and_apply_smack(shadow_tmp, shadow_path);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
}
|
||||
|
||||
shadow_tmp = mfree(shadow_tmp);
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue