#include <security/pam_appl.h>
#endif
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
#include "execute.h"
#include "strv.h"
#include "macro.h"
#include "fileio.h"
#include "unit.h"
#include "async.h"
+#include "selinux-util.h"
#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
!strv_isempty(context->read_only_dirs) ||
!strv_isempty(context->inaccessible_dirs) ||
context->mount_flags != 0 ||
- (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))) {
+ (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
+ context->private_devices) {
char *tmp = NULL, *var = NULL;
context->inaccessible_dirs,
tmp,
var,
+ context->private_devices,
context->mount_flags);
if (err < 0) {
goto fail_child;
}
}
+#ifdef HAVE_SELINUX
+ if (context->selinux_context && use_selinux()) {
+ bool ignore;
+ char* c;
+
+ c = context->selinux_context;
+ if (c[0] == '-') {
+ c++;
+ ignore = true;
+ } else
+ ignore = false;
+
+ err = setexeccon(c);
+ if (err < 0 && !ignore) {
+ r = EXIT_SELINUX_CONTEXT;
+ goto fail_child;
+ }
+ }
+#endif
}
err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
free(c->utmp_id);
c->utmp_id = NULL;
+ free(c->selinux_context);
+ c->selinux_context = NULL;
+
free(c->syscall_filter);
c->syscall_filter = NULL;
}
"%sNonBlocking: %s\n"
"%sPrivateTmp: %s\n"
"%sPrivateNetwork: %s\n"
+ "%sPrivateDevices: %s\n"
"%sIgnoreSIGPIPE: %s\n",
prefix, c->umask,
prefix, c->working_directory ? c->working_directory : "/",
prefix, yes_no(c->non_blocking),
prefix, yes_no(c->private_tmp),
prefix, yes_no(c->private_network),
+ prefix, yes_no(c->private_devices),
prefix, yes_no(c->ignore_sigpipe));
STRV_FOREACH(e, c->environment)
fprintf(f,
"%sUtmpIdentifier: %s\n",
prefix, c->utmp_id);
+
+ if (c->selinux_context)
+ fprintf(f,
+ "%sSELinuxContext: %s\n",
+ prefix, c->selinux_context);
}
void exec_status_start(ExecStatus *s, pid_t pid) {