smack: bugfix the smack label of symlink when '--with-smack-run-label' is set

Even though elogind has its own smack label since
'--with-smack-run-label' configuration is set, the smack label of each
CGROUP root directory should have the star (i.e. *) label. This is
mainly because current Linux Kernel set the label in this way.
(Refer to smack_d_instantiate() in security/smack/smack_lsm.c)

However, if elogind has its own smack label and arg_join_controllers is
explicitly set or initialized by initialize_join_controllers() function,
current elogind creates the symlink in CGROUP root directory with its
own smack label as below.

lrwxrwxrwx. 1 root root System  11 Dec 31 16:00 cpu -> cpu,cpuacct
dr-xr-xr-x. 4 root root *        0 Dec 31 16:01 cpu,cpuacct
lrwxrwxrwx. 1 root root System  11 Dec 31 16:00 cpuacct -> cpu,cpuacct

This patch fixes that bug by copying the smack label from the origin.

diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index ed95cbbc27abc66f837f4c64ab804428643ea6bc..4713187e6c3c1b787000b4c42489f4f97b0ee149 100644 (file)
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -322,6 +322,11 @@ int mount_cgroup_controllers(char ***join_controllers) {
                                 r = symlink(options, t);
                                 if (r < 0 && errno != EEXIST)
                                         return log_error_errno(errno, "Failed to create symlink %s: %m", t);
+#ifdef SMACK_RUN_LABEL
+                                r = mac_smack_copy(t, options);
+                                if (r < 0 && r != -EOPNOTSUPP)
+                                        return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", options, t);
+#endif
                         }
                 }
         }