diff options
Diffstat (limited to 'src/firejail/selinux.c')
| -rw-r--r-- | src/firejail/selinux.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c index 06189d7f6..6969e7a3d 100644 --- a/src/firejail/selinux.c +++ b/src/firejail/selinux.c | |||
| @@ -19,10 +19,13 @@ | |||
| 19 | */ | 19 | */ |
| 20 | #if HAVE_SELINUX | 20 | #if HAVE_SELINUX |
| 21 | #include "firejail.h" | 21 | #include "firejail.h" |
| 22 | |||
| 23 | #include <sys/types.h> | 22 | #include <sys/types.h> |
| 24 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
| 24 | |||
| 25 | #include <fcntl.h> | 25 | #include <fcntl.h> |
| 26 | #ifndef O_PATH | ||
| 27 | #define O_PATH 010000000 | ||
| 28 | #endif | ||
| 26 | 29 | ||
| 27 | #include <selinux/context.h> | 30 | #include <selinux/context.h> |
| 28 | #include <selinux/label.h> | 31 | #include <selinux/label.h> |
| @@ -52,8 +55,9 @@ void selinux_relabel_path(const char *path, const char *inside_path) | |||
| 52 | if (!label_hnd) | 55 | if (!label_hnd) |
| 53 | errExit("selabel_open"); | 56 | errExit("selabel_open"); |
| 54 | 57 | ||
| 55 | /* Open the file as O_PATH, to pin it while we determine and adjust the label */ | 58 | /* Open the file as O_PATH, to pin it while we determine and adjust the label |
| 56 | fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); | 59 | * Defeat symlink races by not allowing symbolic links */ |
| 60 | fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH); | ||
| 57 | if (fd < 0) | 61 | if (fd < 0) |
| 58 | return; | 62 | return; |
| 59 | if (fstat(fd, &st) < 0) | 63 | if (fstat(fd, &st) < 0) |