mount: apply SELinux labels before overlayfs mount

[project/fstools.git] / libfstools / mount.c

diff --git a/libfstools/mount.c b/libfstools/mount.c
index c72c26d59704ab137ac9b2a080f4795d03fa7492..b30e5a6d3846639a0522867b5285478a48e2a916 100644 (file)
--- a/libfstools/mount.c
+++ b/libfstools/mount.c
@@ -14,6 +14,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
+#include <sys/wait.h>
 
 #include <errno.h>
 #include <stdio.h>
@@ -85,6 +86,24 @@ pivot(char *new, char *old)
        return 0;
 }
 
+void
+selinux_restorecon(char *overlaydir)
+{
+       struct stat s;
+       pid_t restorecon_pid;
+       int status;
+
+       /* on non-SELinux system we don't have /sbin/restorecon, return */
+       if (stat("/sbin/restorecon", &s))
+               return;
+
+       restorecon_pid = fork();
+       if (!restorecon_pid)
+               execl("/sbin/restorecon", "restorecon", overlaydir, (char *) NULL);
+       else if (restorecon_pid > 0)
+               waitpid(restorecon_pid, &status, 0);
+}
+
 /**
  * fopivot - switch to overlay using passed dir as upper one
  *
@@ -110,6 +129,13 @@ fopivot(char *rw_root, char *ro_root)
        snprintf(mount_options, sizeof(mount_options), "lowerdir=/,upperdir=%s,workdir=%s",
                 upperdir, workdir);
 
+       /*
+        * Initialize SELinux security label on newly created overlay
+        * filesystem where /upper doesn't yet exist
+        */
+       if (stat(upperdir, &st))
+               selinux_restorecon(rw_root);
+
        /*
         * Overlay FS v23 and later requires both a upper and
         * a work directory, both on the same filesystem, but