PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that
any children will also be in the newly entered PID namespace.
.TP
+\fB\-Z\fR, \fB\-\-follow\-context\fR
+Set the SELinux security context used for executing a new process according to
+already running process specified by \fB\-\-target\fR PID. (The util-linux has
+to be compiled with SELinux support otherwise the option is unavailable.)
+.TP
\fB\-V\fR, \fB\-\-version\fR
Display version information and exit.
.TP
.SH SEE ALSO
.BR setns (2),
.BR clone (2)
-.SH AUTHOR
-.MT ebiederm@xmission.com
+.SH AUTHORS
+.UR biederm@xmission.com
Eric Biederman
-.ME
+.UE
+.br
+.UR kzak@redhat.com
+Karel Zak
+.UE
.SH AVAILABILITY
The nsenter command is part of the util-linux package and is available from
.UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
#include <sys/wait.h>
#include <grp.h>
+#ifdef HAVE_LIBSELINUX
+# include <selinux/selinux.h>
+#endif
+
#include "strutils.h"
#include "nls.h"
#include "c.h"
fputs(_(" -r, --root[=<dir>] set the root directory\n"), out);
fputs(_(" -w, --wd[=<dir>] set the working directory\n"), out);
fputs(_(" -F, --no-fork do not fork before exec'ing <program>\n"), out);
+#ifdef HAVE_LIBSELINUX
+ fputs(_(" -Z, --follow-context set SELinux context according to --target PID\n"), out);
+#endif
fputs(USAGE_SEPARATOR, out);
fputs(USAGE_HELP, out);
{ "wd", optional_argument, NULL, 'w' },
{ "no-fork", no_argument, NULL, 'F' },
{ "preserve-credentials", no_argument, NULL, OPT_PRESERVE_CRED },
+#ifdef HAVE_LIBSELINUX
+ { "follow-context", no_argument, NULL, 'Z' },
+#endif
{ NULL, 0, NULL, 0 }
};
int do_fork = -1; /* unknown yet */
uid_t uid = 0;
gid_t gid = 0;
+#ifdef HAVE_LIBSELINUX
+ bool selinux = 0;
+#endif
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
atexit(close_stdout);
while ((c =
- getopt_long(argc, argv, "+hVt:m::u::i::n::p::U::S:G:r::w::F",
+ getopt_long(argc, argv, "+hVt:m::u::i::n::p::U::S:G:r::w::FZ",
longopts, NULL)) != -1) {
switch (c) {
case 'h':
case OPT_PRESERVE_CRED:
preserve_cred = 1;
break;
+#ifdef HAVE_LIBSELINUX
+ case 'Z':
+ selinux = 1;
+ break;
+#endif
default:
usage(EXIT_FAILURE);
}
}
+#ifdef HAVE_LIBSELINUX
+ if (selinux && is_selinux_enabled() > 0) {
+ char *scon = NULL;
+
+ if (!namespace_target_pid)
+ errx(EXIT_FAILURE, _("no target PID specified for --follow-context"));
+ if (getpidcon(namespace_target_pid, &scon) < 0)
+ errx(EXIT_FAILURE, _("failed to get %d SELinux context"),
+ (int) namespace_target_pid);
+ if (setexeccon(scon) < 0)
+ errx(EXIT_FAILURE, _("failed to set exec context to '%s'"), scon);
+ freecon(scon);
+ }
+#endif
/*
* Open remaining namespace and directory descriptors.
*/
projects / thirdparty / util-linux.git / commitdiff
