diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-07-11 13:32:00 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-07-11 13:32:00 +0200 |
| commit | b0ff0eaa015a332b0516271cc627e4be125c36dd (patch) | |
| tree | 1f46860c3f2640e1ec3165205e8c6434d7398ea0 | |
| parent | 675fa6ea284b715d8fc909e6523f520a0125b7eb (diff) | |
| parent | abad72be4df9d5a13ceecd5b4d073adb370882b7 (diff) | |
| download | systemd-b0ff0eaa015a332b0516271cc627e4be125c36dd.tar.gz | |
Merge pull request #16426 from cgzones/run_user_label
selinux: create standard user-runtime nodes with default context
| -rw-r--r-- | src/basic/label.c | 20 | ||||
| -rw-r--r-- | src/basic/label.h | 1 | ||||
| -rw-r--r-- | src/core/namespace.c | 16 | ||||
| -rw-r--r-- | src/shared/dev-setup.c | 4 |
4 files changed, 35 insertions, 6 deletions
diff --git a/src/basic/label.c b/src/basic/label.c index 1fce7718d4..741c43c2b9 100644 --- a/src/basic/label.c +++ b/src/basic/label.c @@ -45,6 +45,26 @@ int symlink_label(const char *old_path, const char *new_path) { return mac_smack_fix(new_path, 0); } +int mknod_label(const char *pathname, mode_t mode, dev_t dev) { + int r; + + assert(pathname); + + r = mac_selinux_create_file_prepare(pathname, mode); + if (r < 0) + return r; + + if (mknod(pathname, mode, dev) < 0) + r = -errno; + + mac_selinux_create_file_clear(); + + if (r < 0) + return r; + + return mac_smack_fix(pathname, 0); +} + int btrfs_subvol_make_label(const char *path) { int r; diff --git a/src/basic/label.h b/src/basic/label.h index a6f9074b28..6dc0f710ef 100644 --- a/src/basic/label.h +++ b/src/basic/label.h @@ -17,5 +17,6 @@ static inline int label_fix(const char *path, LabelFixFlags flags) { int mkdir_label(const char *path, mode_t mode); int mkdirat_label(int dirfd, const char *path, mode_t mode); int symlink_label(const char *old_path, const char *new_path); +int mknod_label(const char *pathname, mode_t mode, dev_t dev); int btrfs_subvol_make_label(const char *path); diff --git a/src/core/namespace.c b/src/core/namespace.c index b2bbcf58f2..ebdbb7545b 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -860,15 +860,23 @@ static int mount_procfs(const MountEntry *m) { } static int mount_tmpfs(const MountEntry *m) { + int r; + const char *entry_path = mount_entry_path(m); + const char *source_path = m->path_const; + assert(m); /* First, get rid of everything that is below if there is anything. Then, overmount with our new tmpfs */ - (void) mkdir_p_label(mount_entry_path(m), 0755); - (void) umount_recursive(mount_entry_path(m), 0); + (void) mkdir_p_label(entry_path, 0755); + (void) umount_recursive(entry_path, 0); - if (mount("tmpfs", mount_entry_path(m), "tmpfs", m->flags, mount_entry_options(m)) < 0) - return log_debug_errno(errno, "Failed to mount %s: %m", mount_entry_path(m)); + if (mount("tmpfs", entry_path, "tmpfs", m->flags, mount_entry_options(m)) < 0) + return log_debug_errno(errno, "Failed to mount %s: %m", entry_path); + + r = label_fix_container(entry_path, source_path, 0); + if (r < 0) + return log_error_errno(r, "Failed to fix label of '%s' as '%s': %m", entry_path, source_path); return 1; } diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c index 6a280cde01..7641909c1b 100644 --- a/src/shared/dev-setup.c +++ b/src/shared/dev-setup.c @@ -103,9 +103,9 @@ int make_inaccessible_nodes( return log_oom(); if (S_ISDIR(table[i].mode)) - r = mkdir(path, table[i].mode & 07777); + r = mkdir_label(path, table[i].mode & 07777); else - r = mknod(path, table[i].mode, makedev(0, 0)); + r = mknod_label(path, table[i].mode, makedev(0, 0)); if (r < 0) { if (errno != EEXIST) log_debug_errno(errno, "Failed to create '%s', ignoring: %m", path); |