From 93369be040612c906bcbb1631f44a92fa4122d24 Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Thu, 2 Jun 2022 07:36:47 +0100
Subject: Revert "fstools: remove SELinux restorecon hack"

Now that procd only relables the filesystem in case of the system
beging started with initramfs we will again need to take care of
labeling newly created /overlay.

This reverts commit 9e11b3723ce30b9b8c94ad7d15072a10cf13c0b4.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 libfstools/libfstools.h |  1 +
 libfstools/mount.c      | 25 +++++++++++++++++++++++++
 libfstools/overlay.c    |  1 +
 3 files changed, 27 insertions(+)

diff --git a/libfstools/libfstools.h b/libfstools/libfstools.h
index be20fad..340e2dc 100644
--- a/libfstools/libfstools.h
+++ b/libfstools/libfstools.h
@@ -62,5 +62,6 @@ extern void overlay_delete(const char *dir, bool keep_sysupgrade);
 
 enum fs_state fs_state_get(const char *dir);
 int fs_state_set(const char *dir, enum fs_state state);
+void selinux_restorecon(char *overlaydir);
 
 #endif
diff --git a/libfstools/mount.c b/libfstools/mount.c
index 8646c19..3d4111f 100644
--- a/libfstools/mount.c
+++ b/libfstools/mount.c
@@ -86,6 +86,24 @@ pivot(char *new, char *old)
 	return 0;
 }
 
+void
+selinux_restorecon(char *overlaydir)
+{
+	struct stat s;
+	pid_t restorecon_pid;
+	int status;
+
+	/* on non-SELinux system we don't have /sbin/restorecon, return */
+	if (stat("/sbin/restorecon", &s))
+		return;
+
+	restorecon_pid = fork();
+	if (!restorecon_pid)
+		exit(execl("/sbin/restorecon", "restorecon", overlaydir, (char *) NULL));
+	else if (restorecon_pid > 0)
+		waitpid(restorecon_pid, &status, 0);
+}
+
 /**
  * fopivot - switch to overlay using passed dir as upper one
  *
@@ -111,6 +129,13 @@ fopivot(char *rw_root, char *ro_root)
 	snprintf(mount_options, sizeof(mount_options), "lowerdir=/,upperdir=%s,workdir=%s",
 		 upperdir, workdir);
 
+	/*
+	 * Initialize SELinux security label on newly created overlay
+	 * filesystem where /upper doesn't yet exist
+	 */
+	if (stat(upperdir, &st))
+		selinux_restorecon(rw_root);
+
 	/*
 	 * Overlay FS v23 and later requires both a upper and
 	 * a work directory, both on the same filesystem, but
diff --git a/libfstools/overlay.c b/libfstools/overlay.c
index 4cc319e..6790337 100644
--- a/libfstools/overlay.c
+++ b/libfstools/overlay.c
@@ -195,6 +195,7 @@ switch2jffs(struct volume *v)
 		ULOG_ERR("failed - mount -t jffs2 %s %s: %m\n", v->blk, OVERLAYDIR);
 		return -1;
 	}
+	selinux_restorecon(OVERLAYDIR);
 
 	if (mount("none", "/", NULL, MS_NOATIME | MS_REMOUNT, 0)) {
 		ULOG_ERR("failed - mount -o remount,ro none: %m\n");
-- 
cgit v1.2.1