From 1c2c772f0ee05fdd42e462eacc92e79c201df110 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Wed, 22 Apr 2020 14:31:22 +0200 Subject: selinux relabeling, little things --- src/firejail/fs_home.c | 9 +++++++-- src/firejail/fs_whitelist.c | 2 +- src/firejail/restrict_users.c | 6 ++---- 3 files changed, 10 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index ff6d78bf2..af891d61f 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -357,11 +357,14 @@ void fs_private(void) { printf("Mounting a new /root directory\n"); if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) errExit("mounting /root directory"); + selinux_relabel_path("/root", "/root"); fs_logger("tmpfs /root"); if (arg_allusers) { if (u != 0) - fs_tmpfs(homedir, 1); // check if directory is owned by the current user + // mask user home directory + // the directory should be owned by the current user + fs_tmpfs(homedir, 1); } else { // mask /home if (arg_debug) @@ -390,7 +393,9 @@ void fs_private(void) { fs_logger2("tmpfs", homedir); } else - fs_tmpfs(homedir, 1); // check if directory is owned by the current user + // mask user home directory + // the directory should be owned by the current user + fs_tmpfs(homedir, 1); } } diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 3f3075570..1d7552339 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -1070,7 +1070,7 @@ void fs_whitelist(void) { free(proc); close(fd); - // mount a tmpfs and initialize home directory, overrides --allusers + // mount a tmpfs and initialize home directory fs_private(); } else diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 804b45339..c12227406 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -72,10 +72,6 @@ static void sanitize_home(void) { if (arg_debug) printf("Cleaning /home directory\n"); - - if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) - errExit("mkdir"); - // keep a copy of the user home directory int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) { @@ -90,6 +86,8 @@ static void sanitize_home(void) { char *proc; if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) errExit("asprintf"); + if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) + errExit("mkdir"); if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); free(proc); -- cgit v1.2.3-54-g00ecf