|
 |
b0464b |
From 1abef6b50970ab627019f04f269176e03edbae08 Mon Sep 17 00:00:00 2001
|
|
|
b0464b |
From: Jonathan Lebon <jlebon@redhat.com>
|
|
|
b0464b |
Date: Wed, 29 Mar 2017 11:00:11 -0400
|
|
|
b0464b |
Subject: [PATCH] unlock: backport sepolicy fix
|
|
|
b0464b |
|
|
|
b0464b |
This patch backports https://github.com/ostreedev/ostree/pull/763 to the
|
|
|
b0464b |
v2017.3 release. Rather than backporting all the new sepolicy stuff, I
|
|
|
b0464b |
reworked it in the style of yore.
|
|
|
b0464b |
---
|
|
|
b0464b |
src/libostree/ostree-sysroot.c | 23 +++++++++++++++++++++--
|
|
|
b0464b |
1 file changed, 21 insertions(+), 2 deletions(-)
|
|
|
b0464b |
|
|
|
b0464b |
diff --git a/src/libostree/ostree-sysroot.c b/src/libostree/ostree-sysroot.c
|
|
|
b0464b |
index f50e34b..0365624 100644
|
|
|
b0464b |
--- a/src/libostree/ostree-sysroot.c
|
|
|
b0464b |
+++ b/src/libostree/ostree-sysroot.c
|
|
|
b0464b |
@@ -25,6 +25,7 @@
|
|
|
b0464b |
#include <sys/wait.h>
|
|
|
b0464b |
|
|
|
b0464b |
#include "ostree-core-private.h"
|
|
|
b0464b |
+#include "ostree-sepolicy.h"
|
|
|
b0464b |
#include "ostree-sysroot-private.h"
|
|
|
b0464b |
#include "ostree-deployment-private.h"
|
|
|
b0464b |
#include "ostree-bootloader-uboot.h"
|
|
|
b0464b |
@@ -1699,6 +1700,7 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self,
|
|
|
b0464b |
g_autofree char *deployment_path = NULL;
|
|
|
b0464b |
glnx_fd_close int deployment_dfd = -1;
|
|
|
b0464b |
pid_t mount_child;
|
|
|
b0464b |
+ glnx_unref_object OstreeSePolicy *sepolicy = NULL;
|
|
|
b0464b |
|
|
|
b0464b |
/* This function cannot re-lock */
|
|
|
b0464b |
g_return_val_if_fail (unlocked_state != OSTREE_DEPLOYMENT_UNLOCKED_NONE, FALSE);
|
|
|
b0464b |
@@ -1735,6 +1737,13 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self,
|
|
|
b0464b |
if (!glnx_opendirat (self->sysroot_fd, deployment_path, TRUE, &deployment_dfd, error))
|
|
|
b0464b |
goto out;
|
|
|
b0464b |
|
|
|
b0464b |
+ { g_autofree char *abspath = glnx_fdrel_abspath (deployment_dfd, ".");
|
|
|
b0464b |
+ g_autoptr(GFile) path = g_file_new_for_path (abspath);
|
|
|
b0464b |
+ sepolicy = ostree_sepolicy_new (path, cancellable, error);
|
|
|
b0464b |
+ if (!sepolicy)
|
|
|
b0464b |
+ goto out;
|
|
|
b0464b |
+ }
|
|
|
b0464b |
+
|
|
|
b0464b |
switch (unlocked_state)
|
|
|
b0464b |
{
|
|
|
b0464b |
case OSTREE_DEPLOYMENT_UNLOCKED_NONE:
|
|
|
b0464b |
@@ -1762,8 +1771,18 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self,
|
|
|
b0464b |
const char *development_ovl_upper;
|
|
|
b0464b |
const char *development_ovl_work;
|
|
|
b0464b |
|
|
|
b0464b |
- if (!glnx_mkdtempat (AT_FDCWD, development_ovldir, 0700, error))
|
|
|
b0464b |
- goto out;
|
|
|
b0464b |
+ /* Ensure that the directory is created with the same label as `/usr` */
|
|
|
b0464b |
+#pragma GCC diagnostic push
|
|
|
b0464b |
+#pragma GCC diagnostic ignored "-Wunused-variable"
|
|
|
b0464b |
+ { ostree_cleanup_sepolicy_fscreatecon gpointer dummy = NULL;
|
|
|
b0464b |
+#pragma GCC diagnostic pop
|
|
|
b0464b |
+
|
|
|
b0464b |
+ if (!ostree_sepolicy_setfscreatecon (sepolicy, "/usr", 0755, error))
|
|
|
b0464b |
+ goto out;
|
|
|
b0464b |
+
|
|
|
b0464b |
+ if (!glnx_mkdtempat (AT_FDCWD, development_ovldir, 0755, error))
|
|
|
b0464b |
+ goto out;
|
|
|
b0464b |
+ }
|
|
|
b0464b |
|
|
|
b0464b |
development_ovl_upper = glnx_strjoina (development_ovldir, "/upper");
|
|
|
b0464b |
if (!glnx_shutil_mkdir_p_at (AT_FDCWD, development_ovl_upper, 0755, cancellable, error))
|
|
|
b0464b |
--
|
|
|
b0464b |
2.10.2
|
|
|
b0464b |
|