basic: mac_[selinux,smack]_apply_fd does not work when applying labels

Commit a7fdc6c introduced a regression where file descriptors are opened
using O_PATH option. mac_smack_apply_fd() calls fsetxattr() and would fail
with a -EBADF (Bad file descriptor) error.

Use FORMAT_PROC_FD_PATH(fd) to convert the fd back into a full path and
call setxattr() or setfilecon() instead.

Signed-off-by: Donald Chan <hoiho@amazon.com>

diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index a1359a5bfd3fab09a3aaaf5b0a375477d61d7027..67ea8581422a1a4e37d9b946d4411656a4ff6fd6 100644 (file)
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -346,7 +346,7 @@ int mac_selinux_apply_fd(int fd, const char *path, const char *label) {
 
         assert(label);
 
-        if (fsetfilecon(fd, label) < 0)
+        if (setfilecon(FORMAT_PROC_FD_PATH(fd), label) < 0)
                 return log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, strna(path));
 #endif
         return 0;

diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
index b8434b068ca9af79187571e8e0ecbcc80422d846..0df1778cb2dcb8c4b4c71a220631852663f9008d 100644 (file)
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@@ -95,9 +95,9 @@ int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
                 return 0;
 
         if (label)
-                r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
+                r = setxattr(FORMAT_PROC_FD_PATH(fd), smack_attr_to_string(attr), label, strlen(label), 0);
         else
-                r = fremovexattr(fd, smack_attr_to_string(attr));
+                r = removexattr(FORMAT_PROC_FD_PATH(fd), smack_attr_to_string(attr));
         if (r < 0)
                 return -errno;