systemd/0553-logind-mount-per-user-tmpfs-with-smackfsroot-for-sma.patch

From 374738d55b2bc4ab07c22f9a0be95a76de1c9478 Mon Sep 17 00:00:00 2001
From: Lukasz Skalski <l.skalski@samsung.com>
Date: Thu, 9 Oct 2014 11:02:47 +0200
Subject: [PATCH] logind: mount per-user tmpfs with 'smackfsroot=*' for smack
 enabled systems

---
 src/login/logind-user.c         | 8 +++++++-
 units/systemd-logind.service.in | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/login/logind-user.c b/src/login/logind-user.c
index d48eca47f0..3847496c15 100644
--- a/src/login/logind-user.c
+++ b/src/login/logind-user.c
@@ -37,6 +37,7 @@
 #include "conf-parser.h"
 #include "clean-ipc.h"
 #include "logind-user.h"
+#include "smack-util.h"
 
 User* user_new(Manager *m, uid_t uid, gid_t gid, const char *name) {
         User *u;
@@ -325,7 +326,12 @@ static int user_mkdir_runtime_path(User *u) {
 
                 mkdir(p, 0700);
 
-                if (asprintf(&t, "mode=0700,uid=" UID_FMT ",gid=" GID_FMT ",size=%zu", u->uid, u->gid, u->manager->runtime_dir_size) < 0) {
+                if (use_smack())
+                        r = asprintf(&t, "mode=0700,smackfsroot=*,uid=" UID_FMT ",gid=" GID_FMT ",size=%zu", u->uid, u->gid, u->manager->runtime_dir_size);
+                else
+                        r = asprintf(&t, "mode=0700,uid=" UID_FMT ",gid=" GID_FMT ",size=%zu", u->uid, u->gid, u->manager->runtime_dir_size);
+
+                if (r < 0) {
                         r = log_oom();
                         goto fail;
                 }
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index c6cbd1c8df..f087e99ce2 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -23,7 +23,7 @@ ExecStart=@rootlibexecdir@/systemd-logind
 Restart=always
 RestartSec=0
 BusName=org.freedesktop.login1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
 WatchdogSec=1min
 
 # Increase the default a bit in order to allow many simultaneous