bugfix: add missing selinux relabeling for /dev paths #6734
Conversation
Some objects are created in fs_dev but not labeled. This patch ensures that those objects are properly labeled. Signed-off-by: Antonio Enrico Russo <[email protected]>
kmk3
changed the title
There was a problem hiding this comment.
Hello, sorry for the delay.
Looks good to me.
I was going to suggest to also relabel paths after bind-mounting:
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -166,6 +166,7 @@ static void deventry_mount(const char *source,
errExit("mounting dev file");
}
fs_logger2("whitelist", target);
+ selinux_relabel_path(target, target);
}
// For every path in source_pattern, mount it on the dirname of target_pattern.
@@ -304,6 +305,8 @@ static void mount_dev_shm(void) {
empty_dev_shm();
return;
}
+
+ selinux_relabel_path("/dev/shm", "/dev/shm");
}
static void process_dev_shm(void) {
@@ -369,6 +372,7 @@ void fs_private_dev(void) {
if (mount(RUN_DEVLOG_FILE, "/dev/log", NULL, MS_BIND|MS_REC, NULL) < 0)
errExit("mounting /dev/log");
fs_logger("clone /dev/log");
+ selinux_relabel_path("/dev/log", "/dev/log");
}
if (mount(RUN_RO_FILE, RUN_DEVLOG_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
errExit("blacklisting " RUN_DEVLOG_FILE);
@@ -431,6 +435,7 @@ void fs_private_dev(void) {
errExit("mounting /dev/pts");
free(data);
fs_logger("clone /dev/pts");
+ selinux_relabel_path("/dev/pts", "/dev/pts");
// stdin, stdout, stderr
create_link("/proc/self/fd", "/dev/fd");But I'm not sure if selinux_relabel_path would get the source label from the
correct/original path (I'm not sure how bind-mounting affects the labeling if
at all).
Would you mind looking into this?
If it's not obvious, we could also merge the PR as is and ignore this for now.
Any thoughts?
|
These appear to already have the correct SELinux label in a firejail I just tested. This also makes sense to me: bind mounts bring along the SELinux label (just tested that by I also think that |
Some objects are created in fs_dev but not labeled. This patch ensures that those objects are properly labeled.
As an aside: I am locally running a fully confined SELinux setup using firejail (this is in fact posted from a fully SELinux contained Firefox instance running within a firejail). This involves a custom SELinux module for firejail (and other programs). So, this patch isn't "abstract" in any way---it's actually essential for me.