Revert "namespace: fix MAC labels of /dev when PrivateDevices=yes"

This reverts commit e6e81ec0a5.
2024-11-02 19:21:53 +03:00 · 2020-02-28 18:43:28 +00:00 · 2020-02-28 18:43:28 +00:00 · aeac9dd647
commit aeac9dd647
parent ee00d1e95e
7 changed files with 12 additions and 40 deletions
--- a/src/basic/label.c
+++ b/src/basic/label.c
@ -10,11 +10,11 @@
 #include "selinux-util.h"
 #include "smack-util.h"

-int label_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
+int label_fix(const char *path, LabelFixFlags flags) {
        int r, q;

-        r = mac_selinux_fix_container(path, inside_path, flags);
-        q = mac_smack_fix_container(path, inside_path, flags);
+        r = mac_selinux_fix(path, flags);
+        q = mac_smack_fix(path, flags);

        if (r < 0)
                return r;
--- a/src/basic/label.h
+++ b/src/basic/label.h
@ -9,10 +9,7 @@ typedef enum LabelFixFlags {
        LABEL_IGNORE_EROFS  = 1 << 1,
 } LabelFixFlags;

-int label_fix_container(const char *path, const char *inside_path, LabelFixFlags flags);
-static inline int label_fix(const char *path, LabelFixFlags flags) {
-        return label_fix_container(path, path, flags);
-}
+int label_fix(const char *path, LabelFixFlags flags);

 int mkdir_label(const char *path, mode_t mode);
 int mkdirat_label(int dirfd, const char *path, mode_t mode);
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@ -124,7 +124,7 @@ void mac_selinux_reload(void) {
 #endif
 }

-int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
+int mac_selinux_fix(const char *path, LabelFixFlags flags) {

 #if HAVE_SELINUX
        char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
@ -151,7 +151,7 @@ int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFi
        if (fstat(fd, &st) < 0)
                return -errno;

-        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) < 0) {
+        if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
                r = -errno;

                /* If there's no label to set, then exit without warning */
@ -185,7 +185,7 @@ int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFi
        return 0;

 fail:
-        log_enforcing_errno(r, "Unable to fix SELinux security context of %s (%s): %m", path, inside_path);
+        log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
        if (security_getenforce() == 1)
                return r;
 #endif
--- a/src/basic/selinux-util.h
+++ b/src/basic/selinux-util.h
@ -22,11 +22,7 @@ int mac_selinux_init(void);
 void mac_selinux_finish(void);
 void mac_selinux_reload(void);

-int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFixFlags flags);
-static inline int mac_selinux_fix(const char *path, LabelFixFlags flags) {
-        return mac_selinux_fix_container(path, path, flags);
-}
-
+int mac_selinux_fix(const char *path, LabelFixFlags flags);
 int mac_selinux_apply(const char *path, const char *label);

 int mac_selinux_get_create_label_from_exe(const char *exe, char **label);
--- a/src/basic/smack-util.c
+++ b/src/basic/smack-util.c
@ -206,7 +206,7 @@ int mac_smack_fix_at(int dirfd, const char *path, LabelFixFlags flags) {
        return smack_fix_fd(fd, path, flags);
 }

-int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
+int mac_smack_fix(const char *path, LabelFixFlags flags) {
        _cleanup_free_ char *abspath = NULL;
        _cleanup_close_ int fd = -1;
        int r;
@ -228,7 +228,7 @@ int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixF
                return -errno;
        }

-        return smack_fix_fd(fd, inside_path, flags);
+        return smack_fix_fd(fd, abspath, flags);
 }

 int mac_smack_copy(const char *dest, const char *src) {
@ -274,7 +274,7 @@ int mac_smack_apply_pid(pid_t pid, const char *label) {
        return 0;
 }

-int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
+int mac_smack_fix(const char *path, LabelFixFlags flags) {
        return 0;
 }

--- a/src/basic/smack-util.h
+++ b/src/basic/smack-util.h
@ -29,11 +29,7 @@ typedef enum SmackAttr {

 bool mac_smack_use(void);

-int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags);
-static inline int mac_smack_fix(const char *path, LabelFixFlags flags) {
-        return mac_smack_fix_container(path, path, flags);
-}
-
+int mac_smack_fix(const char *path, LabelFixFlags flags);
 int mac_smack_fix_at(int dirfd, const char *path, LabelFixFlags flags);

 const char* smack_attr_to_string(SmackAttr i) _const_;
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -34,7 +34,6 @@
 #include "tmpfile-util.h"
 #include "umask-util.h"
 #include "user-util.h"
-#include "virt.h"

 #define DEV_MOUNT_OPTIONS (MS_NOSUID|MS_STRICTATIME|MS_NOEXEC)

@ -691,22 +690,6 @@ static int mount_private_dev(MountEntry *m) {
                r = log_debug_errno(errno, "Failed to mount tmpfs on '%s': %m", dev);
                goto fail;
        }
-#if HAVE_SELINUX || ENABLE_SMACK
-        if (detect_container() <= 0) {
-                /* these could fail if inside container */
-                r = mac_selinux_init();
-                if (r < 0) {
-                        log_debug("Failed to reinitialize SELinux policy");
-                        goto fail;
-                }
-                r = label_fix_container(dev, "/dev", 0);
-                if (r < 0) {
-                        log_debug_errno(errno, "Failed to fix label of '%s' as /dev: %m", dev);
-                        goto fail;
-                }
-                mac_selinux_finish();
-        }
-#endif

        devpts = strjoina(temporary_mount, "/dev/pts");
        (void) mkdir(devpts, 0755);