Hi, I need an apparently exotic configuration and I don't know how to approach the problem. Here are the requirements: - user@1234.service (systemd --user) + runs with Priv SMACK label (SmackProcessLabel in user@.service) + has cap_mac_admin (and a few other capabilities) to assign SMACK labels to its children (AmbientCapabilities in user@.service) - children (session services) run with Reg SMACK label (I added support for DefaultSmackProcessLabel to user.conf, to avoid modifications of all unit files) - children DO NOT inherit capabilites from systemd --user (they do now) This last is a problem because I'd like to avoid modifications of all service files. I tried to drop inheritable caps before execve() (in exec_child()) but as described in capabilities(7) this results in dropping caps from the ambient set too, which means systemd --user doens't get what it needs. Is there anything I am missing? Is there any way to start a service with UID!=0, some capabilities set but not implicitly inheritable by processes spawned by the service? Kind regards, -- Łukasz Stelmach Samsung R&D Institute Poland Samsung Electronics
Attachment:
signature.asc
Description: PGP signature