Add SELinux Support

Signed-off-by: Dan Walsh <dwalsh@redhat.com> Pull request: #25 Approved by: alexlarsson
author: Dan Walsh <dwalsh@redhat.com> 2016-03-17 18:03:02 -0400
committer: Colin Walters (automation) <walters+githubbot@verbum.org> 2016-03-22 09:33:46 +0000
commit: 506fb1b1624358d57095b20408414ccef6fbc22c (patch)
tree: 60a7e6e77613e129334b80f31834dedb3fab13b5
parent: aedbc794d5cc3f5c479c7307054a761f388d2941 (diff)
download: bubblewrap-506fb1b1624358d57095b20408414ccef6fbc22c.tar.gz
6 files changed, 122 insertions, 4 deletions
diff --git a/Makefile-bwrap.am b/Makefile-bwrap.am
index af602b5..f4c2a35 100644
--- a/Makefile-bwrap.am
+++ b/Makefile-bwrap.am
@@ -10,4 +10,4 @@ bwrap_SOURCES = \
 	$(NULL)
 
 bwrap_CFLAGS = $(AM_CFLAGS)
-bwrap_LDFLAGS =
+bwrap_LDFLAGS = $(SELINUX_LIBS)
diff --git a/bubblewrap.c b/bubblewrap.c
index 68acd63..2c23472 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -43,6 +43,8 @@ static bool is_privileged;
 static const char *argv0;
 static const char *host_tty_dev;
 static int proc_fd = -1;
+static char *opt_exec_label = NULL;
+static char *opt_file_label = NULL;
 
 typedef enum {
   SETUP_BIND_MOUNT,
@@ -149,6 +151,8 @@ usage (int ecode)
            "	--bind SRC DEST		     Bind mount the host path SRC on DEST\n"
            "	--dev-bind SRC DEST	     Bind mount the host path SRC on DEST, allowing device access\n"
            "	--ro-bind SRC DEST	     Bind mount the host path SRC readonly on DEST\n"
+           "	--exec-label LABEL           Exec Label from the sandbox\n"
+           "	--file-label LABEL           File label for temporary sandbox content\n"
            "	--proc DEST		     Mount procfs on DEST\n"
            "	--dev DEST		     Mount new dev on DEST\n"
            "	--dir DEST		     Create dir at DEST\n"
@@ -499,9 +503,12 @@ privileged_op (int privileged_op_socket,
         die_with_error ("Can't mount proc on %s", arg1);
       break;
     case PRIV_SEP_OP_TMPFS_MOUNT:
-      if (mount ("tmpfs", arg1, "tmpfs", MS_MGC_VAL | MS_NOSUID | MS_NOEXEC, "mode=0755") != 0)
-        die_with_error ("Can't mount tmpfs on %s", arg1);
-      break;
+      {
+        cleanup_free char *opt = label_mount ("mode=0755", opt_file_label);
+        if (mount ("tmpfs", arg1, "tmpfs", MS_MGC_VAL | MS_NOSUID | MS_NOEXEC, opt) != 0)
+          die_with_error ("Can't mount tmpfs on %s", arg1);
+        break;
+      }
     case PRIV_SEP_OP_DEVPTS_MOUNT:
       if (mount ("devpts", arg1, "devpts", MS_MGC_VAL | MS_NOSUID | MS_NOEXEC,
                  "newinstance,ptmxmode=0666,mode=620") != 0)
@@ -926,6 +933,30 @@ parse_args (int *argcp,
           argv += 1;
           argc -= 1;
         }
+      else if (strcmp (arg, "--exec-label") == 0)
+        {
+          if (argc < 2)
+            die ("--exec-label takes an argument");
+	  if (label_support () < 0)
+            die ("--exec-label not supported on this system");
+
+          opt_exec_label = argv[1];
+          argv += 1;
+          argc -= 1;
+        }
+      else if (strcmp (arg, "--file-label") == 0)
+        {
+          if (argc < 2)
+            die ("--file-label takes an argument");
+	  if (label_support () < 0)
+            die ("--file-label not supported on this system");
+
+          opt_file_label = argv[1];
+          label_create_file (opt_file_label);
+
+          argv += 1;
+          argc -= 1;
+        }
       else if (strcmp (arg, "--dev") == 0)
         {
           if (argc < 2)
@@ -1458,6 +1489,9 @@ main (int argc,
   /* We want sigchild in the child */
   unblock_sigchild ();
 
+  if (label_exec (opt_exec_label) == -1)
+    die_with_error ("label_exec %s", argv[0]);
+
   if (execvp (argv[0], argv) == -1)
     die_with_error ("execvp %s", argv[0]);
 
diff --git a/bwrap.xml b/bwrap.xml
index a6bb8a6..2dd1baa 100644
--- a/bwrap.xml
+++ b/bwrap.xml
@@ -205,6 +205,20 @@
         as generated by seccomp_export_bpf.
       </para></listitem>
     </varlistentry>
+    <varlistentry>
+      <term><option>--exec-label <arg choice="plain">LABEL</arg></option></term>
+      <listitem><para>
+	Exec Label from the sandbox. On an SELinux system you can specify the SELinux
+	context for the sandbox process(s).
+      </para></listitem>
+    </varlistentry>
+    <varlistentry>
+      <term><option>--file-label <arg choice="plain">LABEL</arg></option></term>
+      <listitem><para>
+	File label for temporary sandbox content. On an SELinux system you can specify
+	the SELinux context for the sandbox content.
+      </para></listitem>
+    </varlistentry>
   </variablelist>
 </refsect1>
 
diff --git a/configure.ac b/configure.ac
index a380929..10c7789 100644
--- a/configure.ac
+++ b/configure.ac
@@ -35,6 +35,21 @@ AS_IF([test "$enable_man" != no], [
 ])
 AM_CONDITIONAL(ENABLE_MAN, test "$enable_man" != no)
 
+# ------------------------------------------------------------------------------
+have_selinux=no
+AC_ARG_ENABLE(selinux, AS_HELP_STRING([--disable-selinux], [Disable optional SELINUX support]))
+if test "x$enable_selinux" != "xno"; then
+        PKG_CHECK_MODULES([SELINUX], [libselinux >= 2.1.9],
+                [AC_DEFINE(HAVE_SELINUX, 1, [Define if SELinux is available])
+                 have_selinux=yes
+                 M4_DEFINES="$M4_DEFINES -DHAVE_SELINUX"],
+                [have_selinux=no])
+        if test "x$have_selinux" = xno -a "x$enable_selinux" = xyes; then
+                AC_MSG_ERROR([*** SELinux support requested but libraries not found])
+        fi
+fi
+AM_CONDITIONAL(HAVE_SELINUX, [test "$have_selinux" = "yes"])
+
 changequote(,)dnl
 if test "x$GCC" = "xyes"; then
   WARN_CFLAGS="-Wall -Werror=missing-prototypes"
diff --git a/utils.c b/utils.c
index e6b230f..45c437f 100644
--- a/utils.c
+++ b/utils.c
@@ -19,6 +19,9 @@
 
 #include "utils.h"
 #include <sys/syscall.h>
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
 
 void
 die_with_error (const char *format, ...)
@@ -617,3 +620,50 @@ pivot_root (const char * new_root, const char * put_old)
   return -1;
 #endif
 }
+
+int
+label_support ()
+{
+#ifdef HAVE_SELINUX
+  if (is_selinux_enabled () > 0)
+    return -1;
+#endif
+  return 0;
+}
+
+char *
+label_mount (const char *opt, const char *mount_label)
+{
+#ifdef HAVE_SELINUX
+  if (mount_label)
+  {
+    if (opt)
+      return strdup_printf ("%s,context=\"%s\"", opt, mount_label);
+    else
+      return strdup_printf ("context=\"%s\"", mount_label);
+  }
+#endif
+  if (opt)
+    return xstrdup (opt);
+  return NULL;  
+}
+
+int
+label_create_file (const char *file_label)
+{
+#ifdef HAVE_SELINUX
+  if (is_selinux_enabled () > 0 && file_label)
+    return setfscreatecon (file_label);
+#endif
+  return 0;
+}
+
+int
+label_exec (const char *exec_label)
+{
+#ifdef HAVE_SELINUX
+  if (is_selinux_enabled () > 0 && exec_label)
+    return setexeccon (exec_label);
+#endif
+  return 0;
+}
diff --git a/utils.h b/utils.h
index 2a7790a..e4d5dff 100644
--- a/utils.h
+++ b/utils.h
@@ -105,6 +105,11 @@ int   raw_clone      (unsigned long flags,
                       void         *child_stack);
 int   pivot_root     (const char   *new_root,
                       const char   *put_old);
+char *label_mount    (const char *opt,
+		      const char *mount_label);
+int   label_exec     (const char *exec_label);
+int   label_support  (void);
+int   label_create_file (const char *file_label);
 
 static inline void
 cleanup_freep (void *p)
author	Dan Walsh <dwalsh@redhat.com>	2016-03-17 18:03:02 -0400
committer	Colin Walters (automation) <walters+githubbot@verbum.org>	2016-03-22 09:33:46 +0000
commit	506fb1b1624358d57095b20408414ccef6fbc22c (patch)
tree	60a7e6e77613e129334b80f31834dedb3fab13b5
parent	aedbc794d5cc3f5c479c7307054a761f388d2941 (diff)
download	bubblewrap-506fb1b1624358d57095b20408414ccef6fbc22c.tar.gz