mount: apply SELinux labels before overlayfs mount

author Daniel Golle <daniel@makrotopia.org>

Sun, 11 Oct 2020 00:36:51 +0000 (01:36 +0100)

committer Daniel Golle <daniel@makrotopia.org>

Fri, 16 Oct 2020 00:48:48 +0000 (01:48 +0100)
author Daniel Golle <daniel@makrotopia.org>
Sun, 11 Oct 2020 00:36:51 +0000 (01:36 +0100)
committer Daniel Golle <daniel@makrotopia.org>
Fri, 16 Oct 2020 00:48:48 +0000 (01:48 +0100)
diff --git a/libfstools/libfstools.h b/libfstools/libfstools.h

index f27307a7e083627990731496e8ba06c3bcae211c..3da151de9b73e02873cb43637997a259acc79381 100644 (file)
--- a/libfstools/libfstools.h
+++ b/libfstools/libfstools.h
@@ -62,5 +62,6 @@ extern void overlay_delete(const char *dir, bool keep_sysupgrade);
  
  enum fs_state fs_state_get(const char *dir);
  int fs_state_set(const char *dir, enum fs_state state);
+void selinux_restorecon(char *overlaydir);
  
  #endif
diff --git a/libfstools/mount.c b/libfstools/mount.c

index c72c26d59704ab137ac9b2a080f4795d03fa7492..b30e5a6d3846639a0522867b5285478a48e2a916 100644 (file)
--- a/libfstools/mount.c
+++ b/libfstools/mount.c
@@ -14,6 +14,7 @@
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <sys/mount.h>
+#include <sys/wait.h>
  
  #include <errno.h>
  #include <stdio.h>
@@ -85,6 +86,24 @@ pivot(char *new, char *old)
         return 0;
  }
  
+void
+selinux_restorecon(char *overlaydir)
+{
+       struct stat s;
+       pid_t restorecon_pid;
+       int status;
+
+       /* on non-SELinux system we don't have /sbin/restorecon, return */
+       if (stat("/sbin/restorecon", &s))
+               return;
+
+       restorecon_pid = fork();
+       if (!restorecon_pid)
+               execl("/sbin/restorecon", "restorecon", overlaydir, (char *) NULL);
+       else if (restorecon_pid > 0)
+               waitpid(restorecon_pid, &status, 0);
+}
+
  /**
   * fopivot - switch to overlay using passed dir as upper one
   *
@@ -110,6 +129,13 @@ fopivot(char *rw_root, char *ro_root)
         snprintf(mount_options, sizeof(mount_options), "lowerdir=/,upperdir=%s,workdir=%s",
                  upperdir, workdir);
  
+       /*
+        * Initialize SELinux security label on newly created overlay
+        * filesystem where /upper doesn't yet exist
+        */
+       if (stat(upperdir, &st))
+               selinux_restorecon(rw_root);
+
         /*
          * Overlay FS v23 and later requires both a upper and
          * a work directory, both on the same filesystem, but
diff --git a/libfstools/overlay.c b/libfstools/overlay.c

index 508d23fc76aa13b29788bf8310df70ff37e2880a..eadafcf4391f36658c26f94c5fec770aeb6c743a 100644 (file)
--- a/libfstools/overlay.c
+++ b/libfstools/overlay.c
@@ -189,6 +189,7 @@ switch2jffs(struct volume *v)
                 ULOG_ERR("failed - mount -t jffs2 %s %s: %m\n", v->blk, OVERLAYDIR);
                 return -1;
         }
+       selinux_restorecon(OVERLAYDIR);
  
         if (mount("none", "/", NULL, MS_NOATIME | MS_REMOUNT, 0)) {
                 ULOG_ERR("failed - mount -o remount,ro none: %m\n");
author	Daniel Golle <daniel@makrotopia.org>
	Sun, 11 Oct 2020 00:36:51 +0000 (01:36 +0100)
committer	Daniel Golle <daniel@makrotopia.org>
	Fri, 16 Oct 2020 00:48:48 +0000 (01:48 +0100)
libfstools/libfstools.h		patch \| blob \| history
libfstools/mount.c		patch \| blob \| history
libfstools/overlay.c		patch \| blob \| history