#include "selinux-util.h"
#include "smack-util.h"
-int label_fix(const char *path, LabelFixFlags flags) {
+int label_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
int r, q;
- r = mac_selinux_fix(path, flags);
- q = mac_smack_fix(path, flags);
+ r = mac_selinux_fix_container(path, inside_path, flags);
+ q = mac_smack_fix_container(path, inside_path, flags);
if (r < 0)
return r;
LABEL_IGNORE_EROFS = 1 << 1,
} LabelFixFlags;
-int label_fix(const char *path, LabelFixFlags flags);
+int label_fix_container(const char *path, const char *inside_path, LabelFixFlags flags);
+static inline int label_fix(const char *path, LabelFixFlags flags) {
+ return label_fix_container(path, path, flags);
+}
int mkdir_label(const char *path, mode_t mode);
int mkdirat_label(int dirfd, const char *path, mode_t mode);
#endif
}
-int mac_selinux_fix(const char *path, LabelFixFlags flags) {
+int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
#if HAVE_SELINUX
char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
if (fstat(fd, &st) < 0)
return -errno;
- if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
+ if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) < 0) {
r = -errno;
/* If there's no label to set, then exit without warning */
return 0;
fail:
- log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
+ log_enforcing_errno(r, "Unable to fix SELinux security context of %s (%s): %m", path, inside_path);
if (security_getenforce() == 1)
return r;
#endif
void mac_selinux_finish(void);
void mac_selinux_reload(void);
-int mac_selinux_fix(const char *path, LabelFixFlags flags);
+int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFixFlags flags);
+static inline int mac_selinux_fix(const char *path, LabelFixFlags flags) {
+ return mac_selinux_fix_container(path, path, flags);
+}
+
int mac_selinux_apply(const char *path, const char *label);
int mac_selinux_get_create_label_from_exe(const char *exe, char **label);
return smack_fix_fd(fd, path, flags);
}
-int mac_smack_fix(const char *path, LabelFixFlags flags) {
+int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
_cleanup_free_ char *abspath = NULL;
_cleanup_close_ int fd = -1;
int r;
return -errno;
}
- return smack_fix_fd(fd, abspath, flags);
+ return smack_fix_fd(fd, inside_path, flags);
}
int mac_smack_copy(const char *dest, const char *src) {
return 0;
}
-int mac_smack_fix(const char *path, LabelFixFlags flags) {
+int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
return 0;
}
bool mac_smack_use(void);
-int mac_smack_fix(const char *path, LabelFixFlags flags);
+int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags);
+static inline int mac_smack_fix(const char *path, LabelFixFlags flags) {
+ return mac_smack_fix_container(path, path, flags);
+}
+
int mac_smack_fix_at(int dirfd, const char *path, LabelFixFlags flags);
const char* smack_attr_to_string(SmackAttr i) _const_;
#include "tmpfile-util.h"
#include "umask-util.h"
#include "user-util.h"
+#include "virt.h"
#define DEV_MOUNT_OPTIONS (MS_NOSUID|MS_STRICTATIME|MS_NOEXEC)
r = log_debug_errno(errno, "Failed to mount tmpfs on '%s': %m", dev);
goto fail;
}
+#if HAVE_SELINUX || ENABLE_SMACK
+ if (detect_container() <= 0) {
+ /* these could fail if inside container */
+ r = mac_selinux_init();
+ if (r < 0) {
+ log_debug("Failed to reinitialize SELinux policy");
+ goto fail;
+ }
+ r = label_fix_container(dev, "/dev", 0);
+ if (r < 0) {
+ log_debug_errno(errno, "Failed to fix label of '%s' as /dev: %m", dev);
+ goto fail;
+ }
+ mac_selinux_finish();
+ }
+#endif
devpts = strjoina(temporary_mount, "/dev/pts");
(void) mkdir(devpts, 0755);
projects / thirdparty / systemd.git / commitdiff
