systemd: earlier smack label switch

This patch was submitted and accepted upstream.
It allows systemd to set the smack label of the
executed process.

See https://github.com/systemd/systemd/pull/7378

Bug-AGL: SPEC-1014

Change-Id: Ia9c437cdaf1fea95ae048e2be5067d6fe218693f
Signed-off-by: José Bollo <jose.bollo@iot.bzh>

diff --git a/meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch b/meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch
new file mode 100644 (file)
index 0000000..46445be
--- /dev/null
+++ b/meta-agl/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch
@@ -0,0 +1,52 @@
+From 6cc74075797edb6f698cb7f312bb1c3d8cc6cb28 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 12 Oct 2017 17:17:56 +0200
+Subject: [PATCH] Switch Smack label earlier
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Switching label after removing capability isn't
+possible.
+
+Change-Id: Ib7dac8f071f36119520ed3205d743c1e3df3cd5e
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/core/execute.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index d72e5bf08..0abffd569 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -2707,6 +2707,13 @@ static int exec_child(
+                         }
+                 }
+ 
++                r = setup_smack(context, command);
++                if (r < 0) {
++                        *exit_status = EXIT_SMACK_PROCESS_LABEL;
++                        *error_message = strdup("Failed to set SMACK process label");
++                        return r;
++                }
++
+                 if (!cap_test_all(context->capability_bounding_set)) {
+                         r = capability_bounding_set_drop(context->capability_bounding_set, false);
+                         if (r < 0) {
+@@ -2775,13 +2782,6 @@ static int exec_child(
+                 }
+ #endif
+ 
+-                r = setup_smack(context, command);
+-                if (r < 0) {
+-                        *exit_status = EXIT_SMACK_PROCESS_LABEL;
+-                        *error_message = strdup("Failed to set SMACK process label");
+-                        return r;
+-                }
+-
+ #ifdef HAVE_APPARMOR
+                 if (context->apparmor_profile && mac_apparmor_use()) {
+                         r = aa_change_onexec(context->apparmor_profile);
+-- 
+2.14.3
+

diff --git a/meta-agl/recipes-core/systemd/systemd_234.bbappend b/meta-agl/recipes-core/systemd/systemd_234.bbappend
new file mode 100644 (file)
index 0000000..4df7684
--- /dev/null
+++ b/meta-agl/recipes-core/systemd/systemd_234.bbappend
@@ -0,0 +1,6 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "\
+    file://0001-Switch-Smack-label-earlier.patch \
+"
+