bus-policy: append items rather than prepending them

[elogind.git] / src / core / execute.c

diff --git a/src/core/execute.c b/src/core/execute.c
index 2b16b36c19b187853061f90c0918506086c94716..8c9dfde00a11558110e36c850d470ca54047e36c 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -84,6 +84,7 @@
 #include "mkdir.h"
 #include "apparmor-util.h"
 #include "bus-kernel.h"
+#include "label.h"
 
 #ifdef HAVE_SECCOMP
 #include "seccomp-util.h"
@@ -939,7 +940,7 @@ static void rename_process_from_path(const char *path) {
 
 #ifdef HAVE_SECCOMP
 
-static int apply_seccomp(ExecContext *c) {
+static int apply_seccomp(const ExecContext *c) {
         uint32_t negative_action, action;
         scmp_filter_ctx *seccomp;
         Iterator i;
@@ -988,7 +989,7 @@ finish:
         return r;
 }
 
-static int apply_address_families(ExecContext *c) {
+static int apply_address_families(const ExecContext *c) {
         scmp_filter_ctx *seccomp;
         Iterator i;
         int r;
@@ -1665,11 +1666,29 @@ static int exec_child(ExecCommand *command,
 #endif
 
 #ifdef HAVE_SELINUX
-                if (context->selinux_context && use_selinux()) {
-                        err = setexeccon(context->selinux_context);
-                        if (err < 0 && !context->selinux_context_ignore) {
-                                *error = EXIT_SELINUX_CONTEXT;
-                                return err;
+                if (use_selinux()) {
+                        if (context->selinux_context) {
+                                err = setexeccon(context->selinux_context);
+                                if (err < 0 && !context->selinux_context_ignore) {
+                                        *error = EXIT_SELINUX_CONTEXT;
+                                        return err;
+                                }
+                        }
+
+                        if (params->selinux_context_net && socket_fd >= 0) {
+                                _cleanup_free_ char *label = NULL;
+
+                                err = label_get_child_mls_label(socket_fd, command->path, &label);
+                                if (err < 0) {
+                                        *error = EXIT_SELINUX_CONTEXT;
+                                        return err;
+                                }
+
+                                err = setexeccon(label);
+                                if (err < 0) {
+                                        *error = EXIT_SELINUX_CONTEXT;
+                                        return err;
+                                }
                         }
                 }
 #endif