From 374738d55b2bc4ab07c22f9a0be95a76de1c9478 Mon Sep 17 00:00:00 2001 From: Lukasz Skalski Date: Thu, 9 Oct 2014 11:02:47 +0200 Subject: [PATCH] logind: mount per-user tmpfs with 'smackfsroot=*' for smack enabled systems --- src/login/logind-user.c | 8 +++++++- units/systemd-logind.service.in | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/login/logind-user.c b/src/login/logind-user.c index d48eca47f..3847496c1 100644 --- a/src/login/logind-user.c +++ b/src/login/logind-user.c @@ -37,6 +37,7 @@ #include "conf-parser.h" #include "clean-ipc.h" #include "logind-user.h" +#include "smack-util.h" User* user_new(Manager *m, uid_t uid, gid_t gid, const char *name) { User *u; @@ -325,7 +326,12 @@ static int user_mkdir_runtime_path(User *u) { mkdir(p, 0700); - if (asprintf(&t, "mode=0700,uid=" UID_FMT ",gid=" GID_FMT ",size=%zu", u->uid, u->gid, u->manager->runtime_dir_size) < 0) { + if (use_smack()) + r = asprintf(&t, "mode=0700,smackfsroot=*,uid=" UID_FMT ",gid=" GID_FMT ",size=%zu", u->uid, u->gid, u->manager->runtime_dir_size); + else + r = asprintf(&t, "mode=0700,uid=" UID_FMT ",gid=" GID_FMT ",size=%zu", u->uid, u->gid, u->manager->runtime_dir_size); + + if (r < 0) { r = log_oom(); goto fail; } diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index c6cbd1c8d..f087e99ce 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -23,7 +23,7 @@ ExecStart=@rootlibexecdir@/systemd-logind Restart=always RestartSec=0 BusName=org.freedesktop.login1 -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG WatchdogSec=1min # Increase the default a bit in order to allow many simultaneous -- 2.30.2