From 1abef6b50970ab627019f04f269176e03edbae08 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Wed, 29 Mar 2017 11:00:11 -0400 Subject: [PATCH] unlock: backport sepolicy fix This patch backports https://github.com/ostreedev/ostree/pull/763 to the v2017.3 release. Rather than backporting all the new sepolicy stuff, I reworked it in the style of yore. --- src/libostree/ostree-sysroot.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/src/libostree/ostree-sysroot.c b/src/libostree/ostree-sysroot.c index f50e34b..0365624 100644 --- a/src/libostree/ostree-sysroot.c +++ b/src/libostree/ostree-sysroot.c @@ -25,6 +25,7 @@ #include #include "ostree-core-private.h" +#include "ostree-sepolicy.h" #include "ostree-sysroot-private.h" #include "ostree-deployment-private.h" #include "ostree-bootloader-uboot.h" @@ -1699,6 +1700,7 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self, g_autofree char *deployment_path = NULL; glnx_fd_close int deployment_dfd = -1; pid_t mount_child; + glnx_unref_object OstreeSePolicy *sepolicy = NULL; /* This function cannot re-lock */ g_return_val_if_fail (unlocked_state != OSTREE_DEPLOYMENT_UNLOCKED_NONE, FALSE); @@ -1735,6 +1737,13 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self, if (!glnx_opendirat (self->sysroot_fd, deployment_path, TRUE, &deployment_dfd, error)) goto out; + { g_autofree char *abspath = glnx_fdrel_abspath (deployment_dfd, "."); + g_autoptr(GFile) path = g_file_new_for_path (abspath); + sepolicy = ostree_sepolicy_new (path, cancellable, error); + if (!sepolicy) + goto out; + } + switch (unlocked_state) { case OSTREE_DEPLOYMENT_UNLOCKED_NONE: @@ -1762,8 +1771,18 @@ ostree_sysroot_deployment_unlock (OstreeSysroot *self, const char *development_ovl_upper; const char *development_ovl_work; - if (!glnx_mkdtempat (AT_FDCWD, development_ovldir, 0700, error)) - goto out; + /* Ensure that the directory is created with the same label as `/usr` */ +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wunused-variable" + { ostree_cleanup_sepolicy_fscreatecon gpointer dummy = NULL; +#pragma GCC diagnostic pop + + if (!ostree_sepolicy_setfscreatecon (sepolicy, "/usr", 0755, error)) + goto out; + + if (!glnx_mkdtempat (AT_FDCWD, development_ovldir, 0755, error)) + goto out; + } development_ovl_upper = glnx_strjoina (development_ovldir, "/upper"); if (!glnx_shutil_mkdir_p_at (AT_FDCWD, development_ovl_upper, 0755, cancellable, error)) -- 2.10.2