diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2020-02-18 20:38:00 +0200 |
|---|---|---|
| committer |  Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-02-22 08:27:24 +0000 |
| commit | 1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e (patch) | |
| tree | 415eb19d90e2ed1de7236c784c1e28d3acfbcaab /src/firejail/sandbox.c | |
| parent | Whitelist more /usr/share for okular and others (diff) | |
| download | firejail-1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e.tar.gz firejail-1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e.tar.zst firejail-1ad2d54c014a49f6ad0b487dd0d9b361cb4d299e.zip | |
Add support for SELinux labeling
Running `firejail --noprofile --private-bin=bash,ls ls -1Za /usr/bin`
shows that the SELinux labels are not correct:
```
user_u:object_r:user_tmpfs_t:s0 .
system_u:object_r:usr_t:s0 ..
user_u:object_r:user_tmpfs_t:s0 bash
user_u:object_r:user_tmpfs_t:s0 ls
```
After fixing this:
```
system_u:object_r:bin_t:s0 .
system_u:object_r:usr_t:s0 ..
system_u:object_r:shell_exec_t:s0 bash
system_u:object_r:bin_t:s0 ls
```
Most copied files and created directories should now have correct
labels (bind mounted objects keep their labels). This is useful to
avoid having to change the SELinux rules when using Firejail.
Diffstat (limited to 'src/firejail/sandbox.c')
| -rw-r--r-- | src/firejail/sandbox.c | 29 |
1 files changed, 15 insertions, 14 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 4f53cafcc..d1d98f636 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -848,20 +848,6 @@ int sandbox(void* sandbox_arg) { | |||
| 848 | if (arg_private_dev) | 848 | if (arg_private_dev) |
| 849 | fs_private_dev(); | 849 | fs_private_dev(); |
| 850 | 850 | ||
| 851 | if (arg_private_etc) { | ||
| 852 | if (cfg.chrootdir) | ||
| 853 | fwarning("private-etc feature is disabled in chroot\n"); | ||
| 854 | else if (arg_overlay) | ||
| 855 | fwarning("private-etc feature is disabled in overlay\n"); | ||
| 856 | else { | ||
| 857 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); | ||
| 858 | fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE | ||
| 859 | // create /etc/ld.so.preload file again | ||
| 860 | if (need_preload) | ||
| 861 | fs_trace_preload(); | ||
| 862 | } | ||
| 863 | } | ||
| 864 | |||
| 865 | if (arg_private_opt) { | 851 | if (arg_private_opt) { |
| 866 | if (cfg.chrootdir) | 852 | if (cfg.chrootdir) |
| 867 | fwarning("private-opt feature is disabled in chroot\n"); | 853 | fwarning("private-opt feature is disabled in chroot\n"); |
| @@ -964,6 +950,21 @@ int sandbox(void* sandbox_arg) { | |||
| 964 | else if (arg_disable_mnt) | 950 | else if (arg_disable_mnt) |
| 965 | fs_mnt(0); | 951 | fs_mnt(0); |
| 966 | 952 | ||
| 953 | // Install new /etc last, so we can use it as long as possible | ||
| 954 | if (arg_private_etc) { | ||
| 955 | if (cfg.chrootdir) | ||
| 956 | fwarning("private-etc feature is disabled in chroot\n"); | ||
| 957 | else if (arg_overlay) | ||
| 958 | fwarning("private-etc feature is disabled in overlay\n"); | ||
| 959 | else { | ||
| 960 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); | ||
| 961 | fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE | ||
| 962 | // create /etc/ld.so.preload file again | ||
| 963 | if (need_preload) | ||
| 964 | fs_trace_preload(); | ||
| 965 | } | ||
| 966 | } | ||
| 967 | |||
| 967 | //**************************** | 968 | //**************************** |
| 968 | // apply the profile file | 969 | // apply the profile file |
| 969 | //**************************** | 970 | //**************************** |