diff options
author | smitsohu <smitsohu@gmail.com> | 2021-03-14 00:57:04 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-03-14 01:19:04 +0100 |
commit | 570e0412a7619660133b49d54813133b0cf76943 (patch) | |
tree | c92da548086fa6445131065242492dcb2264e5cc | |
parent | Merge pull request #4084 from tredondo/patch-4 (diff) | |
download | firejail-570e0412a7619660133b49d54813133b0cf76943.tar.gz firejail-570e0412a7619660133b49d54813133b0cf76943.tar.zst firejail-570e0412a7619660133b49d54813133b0cf76943.zip |
selinux relabeling fixes
-rw-r--r-- | src/firejail/fs.c | 1 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 7 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 2 |
3 files changed, 6 insertions, 4 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index fe79daa70..8b7e49611 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -170,6 +170,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
170 | } | 170 | } |
171 | } | 171 | } |
172 | fs_tmpfs(fname, getuid()); | 172 | fs_tmpfs(fname, getuid()); |
173 | selinux_relabel_path(fname, fname); | ||
173 | last_disable = SUCCESSFUL; | 174 | last_disable = SUCCESSFUL; |
174 | } | 175 | } |
175 | else | 176 | else |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 2c5ea8be0..46f32d7ad 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -31,7 +31,7 @@ | |||
31 | 31 | ||
32 | #include <fcntl.h> | 32 | #include <fcntl.h> |
33 | #ifndef O_PATH | 33 | #ifndef O_PATH |
34 | # define O_PATH 010000000 | 34 | #define O_PATH 010000000 |
35 | #endif | 35 | #endif |
36 | 36 | ||
37 | static void skel(const char *homedir, uid_t u, gid_t g) { | 37 | static void skel(const char *homedir, uid_t u, gid_t g) { |
@@ -384,7 +384,6 @@ void fs_private(void) { | |||
384 | if (chown(homedir, u, g) < 0) | 384 | if (chown(homedir, u, g) < 0) |
385 | errExit("chown"); | 385 | errExit("chown"); |
386 | 386 | ||
387 | selinux_relabel_path(homedir, homedir); | ||
388 | fs_logger2("mkdir", homedir); | 387 | fs_logger2("mkdir", homedir); |
389 | fs_logger2("tmpfs", homedir); | 388 | fs_logger2("tmpfs", homedir); |
390 | } | 389 | } |
@@ -392,6 +391,8 @@ void fs_private(void) { | |||
392 | // mask user home directory | 391 | // mask user home directory |
393 | // the directory should be owned by the current user | 392 | // the directory should be owned by the current user |
394 | fs_tmpfs(homedir, 1); | 393 | fs_tmpfs(homedir, 1); |
394 | |||
395 | selinux_relabel_path(homedir, homedir); | ||
395 | } | 396 | } |
396 | 397 | ||
397 | skel(homedir, u, g); | 398 | skel(homedir, u, g); |
@@ -549,7 +550,7 @@ void fs_private_home_list(void) { | |||
549 | 550 | ||
550 | // create /run/firejail/mnt/home directory | 551 | // create /run/firejail/mnt/home directory |
551 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); | 552 | mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); |
552 | selinux_relabel_path(RUN_HOME_DIR, "/home"); | 553 | selinux_relabel_path(RUN_HOME_DIR, homedir); |
553 | fs_logger_print(); // save the current log | 554 | fs_logger_print(); // save the current log |
554 | 555 | ||
555 | if (arg_debug) | 556 | if (arg_debug) |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 0dfd9ca1c..f86f39397 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -104,13 +104,13 @@ static void sanitize_home(void) { | |||
104 | errExit("mkpath"); | 104 | errExit("mkpath"); |
105 | if (mkdir(cfg.homedir, 0755) == -1) | 105 | if (mkdir(cfg.homedir, 0755) == -1) |
106 | errExit("mkdir"); | 106 | errExit("mkdir"); |
107 | selinux_relabel_path(cfg.homedir, cfg.homedir); | ||
108 | } | 107 | } |
109 | fs_logger2("mkdir", cfg.homedir); | 108 | fs_logger2("mkdir", cfg.homedir); |
110 | 109 | ||
111 | // set mode and ownership | 110 | // set mode and ownership |
112 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) | 111 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) |
113 | errExit("set_perms"); | 112 | errExit("set_perms"); |
113 | selinux_relabel_path(cfg.homedir, cfg.homedir); | ||
114 | 114 | ||
115 | // mount user home directory | 115 | // mount user home directory |
116 | if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 116 | if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) |