From a72b0840ca246d6154deca12dec7d854fec3c0da Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Sun, 6 Jun 2021 18:49:51 +0200
Subject: selinux enhancements

---
 src/fcopy/main.c       | 17 ++++++++++++-----
 src/firejail/fs_home.c |  1 +
 src/firejail/selinux.c | 10 +++++++---
 3 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 869549821..31810de9a 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -19,11 +19,15 @@
  */
 
 #include "../include/common.h"
-#include <fcntl.h>
 #include <ftw.h>
 #include <errno.h>
 #include <pwd.h>
 
+#include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
+
 #if HAVE_SELINUX
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -55,7 +59,7 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
 	assert(path);
 	assert(inside_path);
 #if HAVE_SELINUX
-        char procfs_path[64];
+	char procfs_path[64];
 	char *fcon = NULL;
 	int fd;
 	struct stat st;
@@ -69,20 +73,23 @@ static void selinux_relabel_path(const char *path, const char *inside_path) {
 	if (!label_hnd)
 		label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
 
+	if (!label_hnd)
+		errExit("selabel_open");
+
 	/* Open the file as O_PATH, to pin it while we determine and adjust the label */
-        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+	fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
 	if (fd < 0)
 		return;
 	if (fstat(fd, &st) < 0)
 		goto close;
 
-        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
+	if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
 		sprintf(procfs_path, "/proc/self/fd/%i", fd);
 		if (arg_debug)
 			printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
 
 		setfilecon_raw(procfs_path, fcon);
-        }
+	}
 	freecon(fcon);
  close:
 	close(fd);
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 4bcefa443..f61d43c29 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -234,6 +234,7 @@ static void copy_asoundrc(void) {
 	}
 
 	copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
+	selinux_relabel_path(dest, src);
 	fs_logger2("clone", dest);
 	free(dest);
 
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c
index 06189d7f6..6969e7a3d 100644
--- a/src/firejail/selinux.c
+++ b/src/firejail/selinux.c
@@ -19,10 +19,13 @@
 */
 #if HAVE_SELINUX
 #include "firejail.h"
-
 #include <sys/types.h>
 #include <sys/stat.h>
+
 #include <fcntl.h>
+#ifndef O_PATH
+#define O_PATH 010000000
+#endif
 
 #include <selinux/context.h>
 #include <selinux/label.h>
@@ -52,8 +55,9 @@ void selinux_relabel_path(const char *path, const char *inside_path)
 	if (!label_hnd)
 		errExit("selabel_open");
 
-	/* Open the file as O_PATH, to pin it while we determine and adjust the label */
-	fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+	/* Open the file as O_PATH, to pin it while we determine and adjust the label
+	 * Defeat symlink races by not allowing symbolic links */
+	fd = safer_openat(-1, path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
 	if (fd < 0)
 		return;
 	if (fstat(fd, &st) < 0)
-- 
cgit v1.2.3-54-g00ecf