On Thu, 13.11.14 18:11, Przemyslaw Kedzierski (p.kedzier...@samsung.com) wrote:
Looks pretty good, but I coudln't apply it. There's something wrong
with the patch the deletion/renaming of the service files doesn't
work. Did you create this patch with git-format-patch?
> if (is_unix) {
> (void) getpeercred(in_fd, &ucred);
> (void) getpeersec(in_fd, &peersec);
> +
> +#ifdef HAVE_SMACK
> + if (mac_smack_use()) {
> + if (peersec) {
> +
> + r = mac_smack_apply_pid(getpid(), peersec);
> + if (r < 0)
> + log_warning("Failed to set SMACK
> label %s : %s", peersec, strerror(-r));
> + } else
> + log_warning("Invalid SMACK label");
> +
> + r = drop_capability(CAP_MAC_ADMIN);
> + if (r < 0)
> + log_warning("Failed to drop CAP_MAC_ADMIN:
> %s", strerror(-r));
> + }
> +#endif
> }
Hmm, could you make this bit a function of its own please?
> +m4_ifdef(`HAVE_SMACK',
> +Capabilities=cap_mac_admin=i
> +SecureBits=keep-caps
> +)
Hmm, it might be a good idea to also add some code to Makefile.am to
add the capability to the file after installation in case of
HAVE_SMACK. We used to do set a file cap like this on
systemd-detect-virt until a while back.
See commit fdd25311706bd32580ec4d43211cdf4665d2f9de for details about
the setcap lines we removed back then. It should be easy to just readd
those lines and adapt them to apply to systemd-bus-proxyd instead!
Thanks!
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
