mount: apply SELinux labels before overlayfs mount

Use restorecon to apply SELinux labels if applicable. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
author: Daniel Golle <daniel@makrotopia.org> 2020-10-11 01:36:51 +0100
committer: Daniel Golle <daniel@makrotopia.org> 2020-10-16 01:48:48 +0100
commit: f25ab8a8484215e5fc88c952f25db9a06de311f7 (patch)
tree: 83a48e735355f09004c08211f6d481191967d47c
parent: 46a56d38a389e2db49d6c79adae8f016c60e1d1e (diff)
download: fstools-f25ab8a8484215e5fc88c952f25db9a06de311f7.tar.gz
3 files changed, 28 insertions, 0 deletions
diff --git a/libfstools/libfstools.h b/libfstools/libfstools.h
index f27307a..3da151d 100644
--- a/libfstools/libfstools.h
+++ b/libfstools/libfstools.h
@@ -62,5 +62,6 @@ extern void overlay_delete(const char *dir, bool keep_sysupgrade);
 
 enum fs_state fs_state_get(const char *dir);
 int fs_state_set(const char *dir, enum fs_state state);
+void selinux_restorecon(char *overlaydir);
 
 #endif
diff --git a/libfstools/mount.c b/libfstools/mount.c
index c72c26d..b30e5a6 100644
--- a/libfstools/mount.c
+++ b/libfstools/mount.c
@@ -14,6 +14,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
+#include <sys/wait.h>
 
 #include <errno.h>
 #include <stdio.h>
@@ -85,6 +86,24 @@ pivot(char *new, char *old)
 	return 0;
 }
 
+void
+selinux_restorecon(char *overlaydir)
+{
+	struct stat s;
+	pid_t restorecon_pid;
+	int status;
+
+	/* on non-SELinux system we don't have /sbin/restorecon, return */
+	if (stat("/sbin/restorecon", &s))
+		return;
+
+	restorecon_pid = fork();
+	if (!restorecon_pid)
+		execl("/sbin/restorecon", "restorecon", overlaydir, (char *) NULL);
+	else if (restorecon_pid > 0)
+		waitpid(restorecon_pid, &status, 0);
+}
+
 /**
  * fopivot - switch to overlay using passed dir as upper one
  *
@@ -111,6 +130,13 @@ fopivot(char *rw_root, char *ro_root)
 		 upperdir, workdir);
 
 	/*
+	 * Initialize SELinux security label on newly created overlay
+	 * filesystem where /upper doesn't yet exist
+	 */
+	if (stat(upperdir, &st))
+		selinux_restorecon(rw_root);
+
+	/*
 	 * Overlay FS v23 and later requires both a upper and
 	 * a work directory, both on the same filesystem, but
 	 * not part of the same subtree.
diff --git a/libfstools/overlay.c b/libfstools/overlay.c
index 508d23f..eadafcf 100644
--- a/libfstools/overlay.c
+++ b/libfstools/overlay.c
@@ -189,6 +189,7 @@ switch2jffs(struct volume *v)
 		ULOG_ERR("failed - mount -t jffs2 %s %s: %m\n", v->blk, OVERLAYDIR);
 		return -1;
 	}
+	selinux_restorecon(OVERLAYDIR);
 
 	if (mount("none", "/", NULL, MS_NOATIME | MS_REMOUNT, 0)) {
 		ULOG_ERR("failed - mount -o remount,ro none: %m\n");
author	Daniel Golle <daniel@makrotopia.org>	2020-10-11 01:36:51 +0100
committer	Daniel Golle <daniel@makrotopia.org>	2020-10-16 01:48:48 +0100
commit	f25ab8a8484215e5fc88c952f25db9a06de311f7 (patch)
tree	83a48e735355f09004c08211f6d481191967d47c
parent	46a56d38a389e2db49d6c79adae8f016c60e1d1e (diff)
download	fstools-f25ab8a8484215e5fc88c952f25db9a06de311f7.tar.gz