Merge pull request #16426 from cgzones/run_user_label

selinux: create standard user-runtime nodes with default context
2020-07-11 13:32:00 +02:00 · 2020-07-11 13:32:00 +02:00 · b0ff0eaa01
parent 675fa6ea28 abad72be4d
commit b0ff0eaa01
4 changed files with 35 additions and 6 deletions
--- a/src/basic/label.c
+++ b/src/basic/label.c
@ -45,6 +45,26 @@ int symlink_label(const char *old_path, const char *new_path) {
        return mac_smack_fix(new_path, 0);
 }

+int mknod_label(const char *pathname, mode_t mode, dev_t dev) {
+        int r;
+
+        assert(pathname);
+
+        r = mac_selinux_create_file_prepare(pathname, mode);
+        if (r < 0)
+                return r;
+
+        if (mknod(pathname, mode, dev) < 0)
+                r = -errno;
+
+        mac_selinux_create_file_clear();
+
+        if (r < 0)
+                return r;
+
+        return mac_smack_fix(pathname, 0);
+}
+
 int btrfs_subvol_make_label(const char *path) {
        int r;

--- a/src/basic/label.h
+++ b/src/basic/label.h
@ -17,5 +17,6 @@ static inline int label_fix(const char *path, LabelFixFlags flags) {
 int mkdir_label(const char *path, mode_t mode);
 int mkdirat_label(int dirfd, const char *path, mode_t mode);
 int symlink_label(const char *old_path, const char *new_path);
+int mknod_label(const char *pathname, mode_t mode, dev_t dev);

 int btrfs_subvol_make_label(const char *path);
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -860,15 +860,23 @@ static int mount_procfs(const MountEntry *m) {
 }

 static int mount_tmpfs(const MountEntry *m) {
+        int r;
+        const char *entry_path = mount_entry_path(m);
+        const char *source_path = m->path_const;
+
        assert(m);

        /* First, get rid of everything that is below if there is anything. Then, overmount with our new tmpfs */

-        (void) mkdir_p_label(mount_entry_path(m), 0755);
-        (void) umount_recursive(mount_entry_path(m), 0);
+        (void) mkdir_p_label(entry_path, 0755);
+        (void) umount_recursive(entry_path, 0);

-        if (mount("tmpfs", mount_entry_path(m), "tmpfs", m->flags, mount_entry_options(m)) < 0)
-                return log_debug_errno(errno, "Failed to mount %s: %m", mount_entry_path(m));
+        if (mount("tmpfs", entry_path, "tmpfs", m->flags, mount_entry_options(m)) < 0)
+                return log_debug_errno(errno, "Failed to mount %s: %m", entry_path);
+
+        r = label_fix_container(entry_path, source_path, 0);
+        if (r < 0)
+                return log_error_errno(r, "Failed to fix label of '%s' as '%s': %m", entry_path, source_path);

        return 1;
 }
--- a/src/shared/dev-setup.c
+++ b/src/shared/dev-setup.c
@ -103,9 +103,9 @@ int make_inaccessible_nodes(
                        return log_oom();

                if (S_ISDIR(table[i].mode))
-                        r = mkdir(path, table[i].mode & 07777);
+                        r = mkdir_label(path, table[i].mode & 07777);
                else
-                        r = mknod(path, table[i].mode, makedev(0, 0));
+                        r = mknod_label(path, table[i].mode, makedev(0, 0));
                if (r < 0) {
                        if (errno != EEXIST)
                                log_debug_errno(errno, "Failed to create '%s', ignoring: %m", path);