aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2021-03-14 00:57:04 +0100
committerLibravatar smitsohu <smitsohu@gmail.com>2021-03-14 01:19:04 +0100
commit570e0412a7619660133b49d54813133b0cf76943 (patch)
treec92da548086fa6445131065242492dcb2264e5cc /src
parentMerge pull request #4084 from tredondo/patch-4 (diff)
downloadfirejail-570e0412a7619660133b49d54813133b0cf76943.tar.gz
firejail-570e0412a7619660133b49d54813133b0cf76943.tar.zst
firejail-570e0412a7619660133b49d54813133b0cf76943.zip
selinux relabeling fixes
Diffstat (limited to 'src')
-rw-r--r--src/firejail/fs.c1
-rw-r--r--src/firejail/fs_home.c7
-rw-r--r--src/firejail/restrict_users.c2
3 files changed, 6 insertions, 4 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index fe79daa70..8b7e49611 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -170,6 +170,7 @@ static void disable_file(OPERATION op, const char *filename) {
170 } 170 }
171 } 171 }
172 fs_tmpfs(fname, getuid()); 172 fs_tmpfs(fname, getuid());
173 selinux_relabel_path(fname, fname);
173 last_disable = SUCCESSFUL; 174 last_disable = SUCCESSFUL;
174 } 175 }
175 else 176 else
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 2c5ea8be0..46f32d7ad 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -31,7 +31,7 @@
31 31
32#include <fcntl.h> 32#include <fcntl.h>
33#ifndef O_PATH 33#ifndef O_PATH
34# define O_PATH 010000000 34#define O_PATH 010000000
35#endif 35#endif
36 36
37static void skel(const char *homedir, uid_t u, gid_t g) { 37static void skel(const char *homedir, uid_t u, gid_t g) {
@@ -384,7 +384,6 @@ void fs_private(void) {
384 if (chown(homedir, u, g) < 0) 384 if (chown(homedir, u, g) < 0)
385 errExit("chown"); 385 errExit("chown");
386 386
387 selinux_relabel_path(homedir, homedir);
388 fs_logger2("mkdir", homedir); 387 fs_logger2("mkdir", homedir);
389 fs_logger2("tmpfs", homedir); 388 fs_logger2("tmpfs", homedir);
390 } 389 }
@@ -392,6 +391,8 @@ void fs_private(void) {
392 // mask user home directory 391 // mask user home directory
393 // the directory should be owned by the current user 392 // the directory should be owned by the current user
394 fs_tmpfs(homedir, 1); 393 fs_tmpfs(homedir, 1);
394
395 selinux_relabel_path(homedir, homedir);
395 } 396 }
396 397
397 skel(homedir, u, g); 398 skel(homedir, u, g);
@@ -549,7 +550,7 @@ void fs_private_home_list(void) {
549 550
550 // create /run/firejail/mnt/home directory 551 // create /run/firejail/mnt/home directory
551 mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); 552 mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
552 selinux_relabel_path(RUN_HOME_DIR, "/home"); 553 selinux_relabel_path(RUN_HOME_DIR, homedir);
553 fs_logger_print(); // save the current log 554 fs_logger_print(); // save the current log
554 555
555 if (arg_debug) 556 if (arg_debug)
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 0dfd9ca1c..f86f39397 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -104,13 +104,13 @@ static void sanitize_home(void) {
104 errExit("mkpath"); 104 errExit("mkpath");
105 if (mkdir(cfg.homedir, 0755) == -1) 105 if (mkdir(cfg.homedir, 0755) == -1)
106 errExit("mkdir"); 106 errExit("mkdir");
107 selinux_relabel_path(cfg.homedir, cfg.homedir);
108 } 107 }
109 fs_logger2("mkdir", cfg.homedir); 108 fs_logger2("mkdir", cfg.homedir);
110 109
111 // set mode and ownership 110 // set mode and ownership
112 if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) 111 if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode))
113 errExit("set_perms"); 112 errExit("set_perms");
113 selinux_relabel_path(cfg.homedir, cfg.homedir);
114 114
115 // mount user home directory 115 // mount user home directory
116 if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) 116 if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 15:17:37 +0000