Skip to content

Commit 977eac3

Browse files
aerussoaerusso
authored
bugfix: add missing selinux relabeling for /dev paths (#6734)
Some objects are created in fs_dev but not labeled. This patch ensures that those objects are properly labeled. Signed-off-by: Antonio Enrico Russo <[email protected]>
1 parent 0d89736 commit 977eac3

File tree

1 file changed

+15
-0
lines changed

1 file changed

+15
-0
lines changed

src/firejail/fs_dev.c

+15
Original file line numberDiff line numberDiff line change
@@ -355,6 +355,7 @@ void fs_private_dev(void) {
355355
if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
356356
errExit("mounting /dev");
357357
fs_logger("tmpfs /dev");
358+
selinux_relabel_path("/dev", "/dev");
358359

359360
// optional devices: sound, video cards etc...
360361
deventry_mount_all();
@@ -384,16 +385,22 @@ void fs_private_dev(void) {
384385
// create default devices
385386
create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5
386387
fs_logger("mknod /dev/zero");
388+
selinux_relabel_path("/dev/zero", "/dev/zero");
387389
create_char_dev("/dev/null", 0666, 1, 3); // mknod -m 666 /dev/null c 1 3
388390
fs_logger("mknod /dev/null");
391+
selinux_relabel_path("/dev/null", "/dev/null");
389392
create_char_dev("/dev/full", 0666, 1, 7); // mknod -m 666 /dev/full c 1 7
390393
fs_logger("mknod /dev/full");
394+
selinux_relabel_path("/dev/full", "/dev/full");
391395
create_char_dev("/dev/random", 0666, 1, 8); // Mknod -m 666 /dev/random c 1 8
392396
fs_logger("mknod /dev/random");
397+
selinux_relabel_path("/dev/random", "/dev/random");
393398
create_char_dev("/dev/urandom", 0666, 1, 9); // mknod -m 666 /dev/urandom c 1 9
394399
fs_logger("mknod /dev/urandom");
400+
selinux_relabel_path("/dev/urandom", "/dev/urandom");
395401
create_char_dev("/dev/tty", 0666, 5, 0); // mknod -m 666 /dev/tty c 5 0
396402
fs_logger("mknod /dev/tty");
403+
selinux_relabel_path("/dev/tty", "/dev/tty");
397404
#if 0
398405
create_dev("/dev/tty0", "mknod -m 666 /dev/tty0 c 4 0");
399406
create_dev("/dev/console", "mknod -m 622 /dev/console c 5 1");
@@ -427,16 +434,24 @@ void fs_private_dev(void) {
427434

428435
// stdin, stdout, stderr
429436
create_link("/proc/self/fd", "/dev/fd");
437+
selinux_relabel_path("/dev/fd", "/dev/fd");
430438
create_link("/proc/self/fd/0", "/dev/stdin");
439+
selinux_relabel_path("/dev/stdin", "/dev/stdin");
431440
create_link("/proc/self/fd/1", "/dev/stdout");
441+
selinux_relabel_path("/dev/stdout", "/dev/stdout");
432442
create_link("/proc/self/fd/2", "/dev/stderr");
443+
selinux_relabel_path("/dev/stderr", "/dev/stderr");
433444

434445
// symlinks for DVD/CD players
435446
if (stat("/dev/sr0", &s) == 0) {
436447
create_link("/dev/sr0", "/dev/cdrom");
448+
selinux_relabel_path("/dev/cdrom", "/dev/cdrom");
437449
create_link("/dev/sr0", "/dev/cdrw");
450+
selinux_relabel_path("/dev/cdrw", "/dev/cdrw");
438451
create_link("/dev/sr0", "/dev/dvd");
452+
selinux_relabel_path("/dev/dvd", "/dev/dvd");
439453
create_link("/dev/sr0", "/dev/dvdrw");
454+
selinux_relabel_path("/dev/dvdrw", "/dev/dvdrw");
440455
}
441456
}
442457

0 commit comments

Comments
 (0)