From aeac9dd6475d67a40b61e92395f6c793534a9d59 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 28 Feb 2020 18:43:28 +0000 Subject: [PATCH] Revert "namespace: fix MAC labels of /dev when PrivateDevices=yes" This reverts commit e6e81ec0a56861b905db975fc32c83e2f2faca7d. --- src/basic/label.c | 6 +++--- src/basic/label.h | 5 +---- src/basic/selinux-util.c | 6 +++--- src/basic/selinux-util.h | 6 +----- src/basic/smack-util.c | 6 +++--- src/basic/smack-util.h | 6 +----- src/core/namespace.c | 17 ----------------- 7 files changed, 12 insertions(+), 40 deletions(-) diff --git a/src/basic/label.c b/src/basic/label.c index 1fce7718d4b..12a7fb0945e 100644 --- a/src/basic/label.c +++ b/src/basic/label.c @@ -10,11 +10,11 @@ #include "selinux-util.h" #include "smack-util.h" -int label_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) { +int label_fix(const char *path, LabelFixFlags flags) { int r, q; - r = mac_selinux_fix_container(path, inside_path, flags); - q = mac_smack_fix_container(path, inside_path, flags); + r = mac_selinux_fix(path, flags); + q = mac_smack_fix(path, flags); if (r < 0) return r; diff --git a/src/basic/label.h b/src/basic/label.h index a6f9074b281..594fd65974c 100644 --- a/src/basic/label.h +++ b/src/basic/label.h @@ -9,10 +9,7 @@ typedef enum LabelFixFlags { LABEL_IGNORE_EROFS = 1 << 1, } LabelFixFlags; -int label_fix_container(const char *path, const char *inside_path, LabelFixFlags flags); -static inline int label_fix(const char *path, LabelFixFlags flags) { - return label_fix_container(path, path, flags); -} +int label_fix(const char *path, LabelFixFlags flags); int mkdir_label(const char *path, mode_t mode); int mkdirat_label(int dirfd, const char *path, mode_t mode); diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c index fd78ce200ed..90bb93ed0b8 100644 --- a/src/basic/selinux-util.c +++ b/src/basic/selinux-util.c @@ -124,7 +124,7 @@ void mac_selinux_reload(void) { #endif } -int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) { +int mac_selinux_fix(const char *path, LabelFixFlags flags) { #if HAVE_SELINUX char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; @@ -151,7 +151,7 @@ int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFi if (fstat(fd, &st) < 0) return -errno; - if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) < 0) { + if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) { r = -errno; /* If there's no label to set, then exit without warning */ @@ -185,7 +185,7 @@ int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFi return 0; fail: - log_enforcing_errno(r, "Unable to fix SELinux security context of %s (%s): %m", path, inside_path); + log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path); if (security_getenforce() == 1) return r; #endif diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h index 6d9e050781c..b73b7c50e07 100644 --- a/src/basic/selinux-util.h +++ b/src/basic/selinux-util.h @@ -22,11 +22,7 @@ int mac_selinux_init(void); void mac_selinux_finish(void); void mac_selinux_reload(void); -int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFixFlags flags); -static inline int mac_selinux_fix(const char *path, LabelFixFlags flags) { - return mac_selinux_fix_container(path, path, flags); -} - +int mac_selinux_fix(const char *path, LabelFixFlags flags); int mac_selinux_apply(const char *path, const char *label); int mac_selinux_get_create_label_from_exe(const char *exe, char **label); diff --git a/src/basic/smack-util.c b/src/basic/smack-util.c index 8043a97c359..da9a2139d31 100644 --- a/src/basic/smack-util.c +++ b/src/basic/smack-util.c @@ -206,7 +206,7 @@ int mac_smack_fix_at(int dirfd, const char *path, LabelFixFlags flags) { return smack_fix_fd(fd, path, flags); } -int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) { +int mac_smack_fix(const char *path, LabelFixFlags flags) { _cleanup_free_ char *abspath = NULL; _cleanup_close_ int fd = -1; int r; @@ -228,7 +228,7 @@ int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixF return -errno; } - return smack_fix_fd(fd, inside_path, flags); + return smack_fix_fd(fd, abspath, flags); } int mac_smack_copy(const char *dest, const char *src) { @@ -274,7 +274,7 @@ int mac_smack_apply_pid(pid_t pid, const char *label) { return 0; } -int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) { +int mac_smack_fix(const char *path, LabelFixFlags flags) { return 0; } diff --git a/src/basic/smack-util.h b/src/basic/smack-util.h index df2ce370716..395ec07b57c 100644 --- a/src/basic/smack-util.h +++ b/src/basic/smack-util.h @@ -29,11 +29,7 @@ typedef enum SmackAttr { bool mac_smack_use(void); -int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags); -static inline int mac_smack_fix(const char *path, LabelFixFlags flags) { - return mac_smack_fix_container(path, path, flags); -} - +int mac_smack_fix(const char *path, LabelFixFlags flags); int mac_smack_fix_at(int dirfd, const char *path, LabelFixFlags flags); const char* smack_attr_to_string(SmackAttr i) _const_; diff --git a/src/core/namespace.c b/src/core/namespace.c index df9bbdb7b43..07c9ac2b515 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -34,7 +34,6 @@ #include "tmpfile-util.h" #include "umask-util.h" #include "user-util.h" -#include "virt.h" #define DEV_MOUNT_OPTIONS (MS_NOSUID|MS_STRICTATIME|MS_NOEXEC) @@ -691,22 +690,6 @@ static int mount_private_dev(MountEntry *m) { r = log_debug_errno(errno, "Failed to mount tmpfs on '%s': %m", dev); goto fail; } -#if HAVE_SELINUX || ENABLE_SMACK - if (detect_container() <= 0) { - /* these could fail if inside container */ - r = mac_selinux_init(); - if (r < 0) { - log_debug("Failed to reinitialize SELinux policy"); - goto fail; - } - r = label_fix_container(dev, "/dev", 0); - if (r < 0) { - log_debug_errno(errno, "Failed to fix label of '%s' as /dev: %m", dev); - goto fail; - } - mac_selinux_finish(); - } -#endif devpts = strjoina(temporary_mount, "/dev/pts"); (void) mkdir(devpts, 0755);