smack: Add DefaultSmackProcessLabel to user.conf and system.conf

DefaultSmackProcessLabel tells systemd what label to assign to its child
process in case SmackProcessLabel is not set in the service file. By
default, when DefaultSmackProcessLabel is not set child processes inherit
label from systemd.

If DefaultSmackProcessLabel is set to "/" (which is an invalid character
for a SMACK label) the DEFAULT_SMACK_PROCESS_LABEL set during compilation
is ignored and systemd act as if the option was unset.

9 files changed, 53 insertions, 6 deletions

diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index 3fe2cbfdea..ef311f1971 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -525,6 +525,18 @@
         details. Note that this setting has no effect on the OOM score adjustment value of the service
         manager process itself, it retains the original value set during its invocation.</para></listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>DefaultSmackProcessLabel=</varname></term>
+
+        <listitem><para>Takes a <option>SMACK64</option> security label as the argument. The process executed
+        by a unit will be started under this label if <varname>SmackProcessLabel=</varname> is not set in the
+        unit. See <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        for the details.</para>
+
+        <para>If the value is <literal>/</literal>, only labels specified with <varname>SmackProcessLabel=</varname>
+        are assigned and the compile-time default is ignored.</para></listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
diff --git a/meson.build b/meson.build
index 7db7e5ea1d..b4fd369241 100644
--- a/meson.build
+++ b/meson.build
@@ -1167,6 +1167,11 @@ if have
         conf.set_quoted('SMACK_RUN_LABEL', get_option('smack-run-label'))
 endif
 
+have = get_option('smack') and get_option('smack-default-process-label') != ''
+if have
+        conf.set_quoted('SMACK_DEFAULT_PROCESS_LABEL', get_option('smack-default-process-label'))
+endif
+
 want_polkit = get_option('polkit')
 install_polkit = false
 install_polkit_pkla = false
diff --git a/meson_options.txt b/meson_options.txt
index adaedf3ce8..628ca1d797 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -352,6 +352,8 @@ option('smack', type : 'boolean',
        description : 'SMACK support')
 option('smack-run-label', type : 'string',
        description : 'run systemd --system itself with a specific SMACK label')
+option('smack-default-process-label', type : 'string',
+       description : 'default SMACK label for executed processes')
 option('polkit', type : 'combo', choices : ['auto', 'true', 'false'],
        description : 'polkit support')
 option('ima', type : 'boolean',
diff --git a/src/core/execute.c b/src/core/execute.c
index 3be219fe1c..64b290d3e7 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3240,6 +3240,7 @@ static int setup_credentials(
 
 #if ENABLE_SMACK
 static int setup_smack(
+                const Manager *manager,
                 const ExecContext *context,
                 int executable_fd) {
         int r;
@@ -3251,20 +3252,17 @@ static int setup_smack(
                 r = mac_smack_apply_pid(0, context->smack_process_label);
                 if (r < 0)
                         return r;
-        }
-#ifdef SMACK_DEFAULT_PROCESS_LABEL
-        else {
+        } else if (manager->default_smack_process_label) {
                 _cleanup_free_ char *exec_label = NULL;
 
                 r = mac_smack_read_fd(executable_fd, SMACK_ATTR_EXEC, &exec_label);
                 if (r < 0 && !IN_SET(r, -ENODATA, -EOPNOTSUPP))
                         return r;
 
-                r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
+                r = mac_smack_apply_pid(0, exec_label ? : manager->default_smack_process_label);
                 if (r < 0)
                         return r;
         }
-#endif
 
         return 0;
 }
@@ -4853,7 +4851,7 @@ static int exec_child(
                 /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the
                  * process. This is the latest place before dropping capabilities. Other MAC context are set later. */
                 if (use_smack) {
-                        r = setup_smack(context, executable_fd);
+                        r = setup_smack(unit->manager, context, executable_fd);
                         if (r < 0 && !context->smack_process_label_ignore) {
                                 *exit_status = EXIT_SMACK_PROCESS_LABEL;
                                 return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m");
diff --git a/src/core/main.c b/src/core/main.c
index aee66051db..72d86d3efd 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -170,6 +170,7 @@ static void *arg_random_seed;
 static size_t arg_random_seed_size;
 static int arg_default_oom_score_adjust;
 static bool arg_default_oom_score_adjust_set;
+static char *arg_default_smack_process_label;
 
 /* A copy of the original environment block */
 static char **saved_env = NULL;
@@ -658,6 +659,11 @@ static int parse_config_file(void) {
                 { "Manager", "CtrlAltDelBurstAction",        config_parse_emergency_action,      0,                        &arg_cad_burst_action             },
                 { "Manager", "DefaultOOMPolicy",             config_parse_oom_policy,            0,                        &arg_default_oom_policy           },
                 { "Manager", "DefaultOOMScoreAdjust",        config_parse_oom_score_adjust,      0,                        NULL                              },
+#if ENABLE_SMACK
+                { "Manager", "DefaultSmackProcessLabel",     config_parse_string,                0,                        &arg_default_smack_process_label  },
+#else
+                { "Manager", "DefaultSmackProcessLabel",     config_parse_warn_compat,           DISABLED_CONFIGURATION,   NULL                              },
+#endif
                 {}
         };
 
@@ -731,6 +737,8 @@ static void set_manager_defaults(Manager *m) {
         m->default_oom_score_adjust_set = arg_default_oom_score_adjust_set;
         m->default_oom_score_adjust = arg_default_oom_score_adjust;
 
+        (void) manager_set_default_smack_process_label(m, arg_default_smack_process_label);
+
         (void) manager_set_default_rlimits(m, arg_default_rlimit);
 
         (void) manager_default_environment(m);
@@ -2421,6 +2429,7 @@ static void reset_arguments(void) {
         arg_clock_usec = 0;
 
         arg_default_oom_score_adjust_set = false;
+        arg_default_smack_process_label = mfree(arg_default_smack_process_label);
 }
 
 static void determine_default_oom_score_adjust(void) {
diff --git a/src/core/manager.c b/src/core/manager.c
index c7598b1e2a..e7e077dcf0 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -1549,6 +1549,8 @@ Manager* manager_free(Manager *m) {
         free(m->switch_root);
         free(m->switch_root_init);
 
+        free(m->default_smack_process_label);
+
         rlimit_free_all(m->rlimit);
 
         assert(hashmap_isempty(m->units_requiring_mounts_for));
@@ -3880,6 +3882,19 @@ int manager_get_effective_environment(Manager *m, char ***ret) {
         return 0;
 }
 
+int manager_set_default_smack_process_label(Manager *m, const char *label) {
+        assert(m);
+
+#ifdef SMACK_DEFAULT_PROCESS_LABEL
+        if (!label)
+                return free_and_strdup(&m->default_smack_process_label, SMACK_DEFAULT_PROCESS_LABEL);
+#endif
+        if (streq_ptr(label, "/"))
+                return free_and_strdup(&m->default_smack_process_label, NULL);
+
+        return free_and_strdup(&m->default_smack_process_label, label);
+}
+
 int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit) {
         assert(m);
 
diff --git a/src/core/manager.h b/src/core/manager.h
index fd5da52b7f..63cff7989d 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -457,6 +457,8 @@ struct Manager {
 
         /* Reference to RestrictFileSystems= BPF program */
         struct restrict_fs_bpf *restrict_fs;
+
+        char *default_smack_process_label;
 };
 
 static inline usec_t manager_default_timeout_abort_usec(Manager *m) {
@@ -509,6 +511,8 @@ int manager_transient_environment_add(Manager *m, char **plus);
 int manager_client_environment_modify(Manager *m, char **minus, char **plus);
 int manager_get_effective_environment(Manager *m, char ***ret);
 
+int manager_set_default_smack_process_label(Manager *m, const char *label);
+
 int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit);
 
 void manager_trigger_run_queue(Manager *m);
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 67e55f10a2..ae1b47b2ba 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -74,3 +74,4 @@
 #DefaultLimitRTPRIO=
 #DefaultLimitRTTIME=
 #DefaultOOMPolicy=stop
+#DefaultSmackProcessLabel=
diff --git a/src/core/user.conf.in b/src/core/user.conf.in
index e0a7703525..c29068828c 100644
--- a/src/core/user.conf.in
+++ b/src/core/user.conf.in
@@ -47,3 +47,4 @@
 #DefaultLimitNICE=
 #DefaultLimitRTPRIO=
 #DefaultLimitRTTIME=
+#DefaultSmackProcessLabel=