From: Sangjung Woo Date: Tue, 8 Sep 2015 06:09:40 +0000 (+0900) Subject: smack: bugfix the smack label of symlink when '--with-smack-run-label' is set X-Git-Tag: v227.2^2~44 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=eeeefb47fde1f010e14c9f0a6104bba011ce9b20 smack: bugfix the smack label of symlink when '--with-smack-run-label' is set Even though elogind has its own smack label since '--with-smack-run-label' configuration is set, the smack label of each CGROUP root directory should have the star (i.e. *) label. This is mainly because current Linux Kernel set the label in this way. (Refer to smack_d_instantiate() in security/smack/smack_lsm.c) However, if elogind has its own smack label and arg_join_controllers is explicitly set or initialized by initialize_join_controllers() function, current elogind creates the symlink in CGROUP root directory with its own smack label as below. lrwxrwxrwx. 1 root root System 11 Dec 31 16:00 cpu -> cpu,cpuacct dr-xr-xr-x. 4 root root * 0 Dec 31 16:01 cpu,cpuacct lrwxrwxrwx. 1 root root System 11 Dec 31 16:00 cpuacct -> cpu,cpuacct This patch fixes that bug by copying the smack label from the origin. --- diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c index ed95cbbc2..4713187e6 100644 --- a/src/core/mount-setup.c +++ b/src/core/mount-setup.c @@ -322,6 +322,11 @@ int mount_cgroup_controllers(char ***join_controllers) { r = symlink(options, t); if (r < 0 && errno != EEXIST) return log_error_errno(errno, "Failed to create symlink %s: %m", t); +#ifdef SMACK_RUN_LABEL + r = mac_smack_copy(t, options); + if (r < 0 && r != -EOPNOTSUPP) + return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", options, t); +#endif } } }