diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/fcopy/main.c | 17 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 1 | ||||
-rw-r--r-- | src/firejail/selinux.c | 10 |
3 files changed, 20 insertions, 8 deletions
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 869549821..31810de9a 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -19,11 +19,15 @@ | |||
19 | */ | 19 | */ |
20 | 20 | ||
21 | #include "../include/common.h" | 21 | #include "../include/common.h" |
22 | #include <fcntl.h> | ||
23 | #include <ftw.h> | 22 | #include <ftw.h> |
24 | #include <errno.h> | 23 | #include <errno.h> |
25 | #include <pwd.h> | 24 | #include <pwd.h> |
26 | 25 | ||
26 | #include <fcntl.h> | ||
27 | #ifndef O_PATH | ||
28 | #define O_PATH 010000000 | ||
29 | #endif | ||
30 | |||
27 | #if HAVE_SELINUX | 31 | #if HAVE_SELINUX |
28 | #include <sys/stat.h> | 32 | #include <sys/stat.h> |
29 | #include <sys/types.h> | 33 | #include <sys/types.h> |
@@ -55,7 +59,7 @@ static void selinux_relabel_path(const char *path, const char *inside_path) { | |||
55 | assert(path); | 59 | assert(path); |
56 | assert(inside_path); | 60 | assert(inside_path); |
57 | #if HAVE_SELINUX | 61 | #if HAVE_SELINUX |
58 | char procfs_path[64]; | 62 | char procfs_path[64]; |
59 | char *fcon = NULL; | 63 | char *fcon = NULL; |
60 | int fd; | 64 | int fd; |
61 | struct stat st; | 65 | struct stat st; |
@@ -69,20 +73,23 @@ static void selinux_relabel_path(const char *path, const char *inside_path) { | |||
69 | if (!label_hnd) | 73 | if (!label_hnd) |
70 | label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); | 74 | label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); |
71 | 75 | ||
76 | if (!label_hnd) | ||
77 | errExit("selabel_open"); | ||
78 | |||
72 | /* Open the file as O_PATH, to pin it while we determine and adjust the label */ | 79 | /* Open the file as O_PATH, to pin it while we determine and adjust the label */ |
73 | fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); | 80 | fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); |
74 | if (fd < 0) | 81 | if (fd < 0) |
75 | return; | 82 | return; |
76 | if (fstat(fd, &st) < 0) | 83 | if (fstat(fd, &st) < 0) |
77 | goto close; | 84 | goto close; |
78 | 85 | ||
79 | if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) == 0) { | 86 | if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) == 0) { |
80 | sprintf(procfs_path, "/proc/self/fd/%i", fd); | 87 | sprintf(procfs_path, "/proc/self/fd/%i", fd); |
81 | if (arg_debug) | 88 | if (arg_debug) |
82 | printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); | 89 | printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon); |
83 | 90 | ||
84 | setfilecon_raw(procfs_path, fcon); | 91 | setfilecon_raw(procfs_path, fcon); |
85 | } | 92 | } |
86 | freecon(fcon); | 93 | freecon(fcon); |
87 | close: | 94 | close: |
88 | close(fd); | 95 | close(fd); |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 4bcefa443..f61d43c29 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -234,6 +234,7 @@ static void copy_asoundrc(void) { | |||
234 | } | 234 | } |
235 | 235 | ||
236 | copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user | 236 | copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user |
237 | selinux_relabel_path(dest, src); | ||
237 | fs_logger2("clone", dest); | 238 | fs_logger2("clone", dest); |
238 | free(dest); | 239 | free(dest); |
239 | 240 | ||
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c index 06189d7f6..6969e7a3d 100644 --- a/src/firejail/selinux.c +++ b/src/firejail/selinux.c | |||
@@ -19,10 +19,13 @@ | |||
19 | */ | 19 | */ |
20 | #if HAVE_SELINUX | 20 | #if HAVE_SELINUX |
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | |||
23 | #include <sys/types.h> | 22 | #include <sys/types.h> |
24 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
24 | |||
25 | #include <fcntl.h> | 25 | #include <fcntl.h> |
26 | #ifndef O_PATH | ||
27 | #define O_PATH 010000000 | ||
28 | #endif | ||
26 | 29 | ||
27 | #include <selinux/context.h> | 30 | #include <selinux/context.h> |
28 | #include <selinux/label.h> | 31 | #include <selinux/label.h> |
@@ -52,8 +55,9 @@ void selinux_relabel_path(const char *path, const char *inside_path) | |||
52 | if (!label_hnd) | 55 | if (!label_hnd) |
53 | errExit("selabel_open"); | 56 | errExit("selabel_open"); |
54 | 57 | ||
55 | /* Open the file as O_PATH, to pin it while we determine and adjust the label */ | 58 | /* Open the file as O_PATH, to pin it while we determine and adjust the label |
56 | fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); | 59 | * Defeat symlink races by not allowing symbolic links */ |
60 | fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH); | ||
57 | if (fd < 0) | 61 | if (fd < 0) |
58 | return; | 62 | return; |
59 | if (fstat(fd, &st) < 0) | 63 | if (fstat(fd, &st) < 0) |