1 files changed, 73 insertions, 0 deletions
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
new file mode 100644
index 000000000..52d6788ef
--- /dev/null
+++ b/src/firejail/selinux.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2020 Firejail and systemd authors
+ *
+ * This file is part of firejail project, from systemd selinux-util.c
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#if HAVE_SELINUX
+#include "firejail.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <selinux/context.h>
+#include <selinux/label.h>
+#include <selinux/selinux.h>
+static struct selabel_handle *label_hnd = NULL;
+static int selinux_enabled = -1;
+#endif
+void selinux_relabel_path(const char *path, const char *inside_path)
+{
+#if HAVE_SELINUX
+        char procfs_path[64];
+        char *fcon = NULL;
+        int fd;
+        struct stat st;
+        if (selinux_enabled == -1)
+                selinux_enabled = is_selinux_enabled();
+        if (!selinux_enabled && arg_debug)
+                return;
+        if (!label_hnd)
+                label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+        /* Open the file as O_PATH, to pin it while we determine and adjust the label */
+        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        if (fd < 0)
+                return;
+        if (fstat(fd, &st) < 0)
+                goto close;
+        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
+                sprintf(procfs_path, "/proc/self/fd/%i", fd);
+                if (arg_debug)
+                        printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
+                setfilecon_raw(procfs_path, fcon);
+        }
+        freecon(fcon);
+ close:
+        close(fd);
+#else
+        (void) path;
+        (void) inside_path;
+#endif
+}

diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c new file mode 100644 index 000000000..52d6788ef --- /dev/null +++ b/src/firejail/selinux.c
@@ -0,0 +1,73 @@
	1	/*
	2	* Copyright (C) 2020 Firejail and systemd authors
	3	*
	4	* This file is part of firejail project, from systemd selinux-util.c
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#if HAVE_SELINUX
	21	#include "firejail.h"
	22
	23	#include <sys/types.h>
	24	#include <sys/stat.h>
	25	#include <fcntl.h>
	26
	27	#include <selinux/context.h>
	28	#include <selinux/label.h>
	29	#include <selinux/selinux.h>
	30
	31	static struct selabel_handle *label_hnd = NULL;
	32	static int selinux_enabled = -1;
	33	#endif
	34
	35	void selinux_relabel_path(const char path, const char inside_path)
	36	{
	37	#if HAVE_SELINUX
	38	char procfs_path[64];
	39	char *fcon = NULL;
	40	int fd;
	41	struct stat st;
	42
	43	if (selinux_enabled == -1)
	44	selinux_enabled = is_selinux_enabled();
	45
	46	if (!selinux_enabled && arg_debug)
	47	return;
	48
	49	if (!label_hnd)
	50	label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
	51
	52	/* Open the file as O_PATH, to pin it while we determine and adjust the label */
	53	fd = open(path, O_NOFOLLOW\|O_CLOEXEC\|O_PATH);
	54	if (fd < 0)
	55	return;
	56	if (fstat(fd, &st) < 0)
	57	goto close;
	58
	59	if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) == 0) {
	60	sprintf(procfs_path, "/proc/self/fd/%i", fd);
	61	if (arg_debug)
	62	printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
	63
	64	setfilecon_raw(procfs_path, fcon);
	65	}
	66	freecon(fcon);
	67	close:
	68	close(fd);
	69	#else
	70	(void) path;
	71	(void) inside_path;
	72	#endif
	73	}