mount: apply SELinux labels before overlayfs mount

Use restorecon to apply SELinux labels if applicable.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

libfstools/libfstools.h

@@ -62,5 +62,6 @@ extern void overlay_delete(const char *dir, bool keep_sysupgrade);
 
 enum fs_state fs_state_get(const char *dir);
 int fs_state_set(const char *dir, enum fs_state state);
+void selinux_restorecon(char *overlaydir);
 
 #endif

libfstools/mount.c

@@ -14,6 +14,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
+#include <sys/wait.h>
 
 #include <errno.h>
 #include <stdio.h>
@@ -85,6 +86,24 @@ pivot(char *new, char *old)
 	return 0;
 }
 
+void
+selinux_restorecon(char *overlaydir)
+{
+	struct stat s;
+	pid_t restorecon_pid;
+	int status;
+
+	/* on non-SELinux system we don't have /sbin/restorecon, return */
+	if (stat("/sbin/restorecon", &s))
+		return;
+
+	restorecon_pid = fork();
+	if (!restorecon_pid)
+		execl("/sbin/restorecon", "restorecon", overlaydir, (char *) NULL);
+	else if (restorecon_pid > 0)
+		waitpid(restorecon_pid, &status, 0);
+}
+
 /**
  * fopivot - switch to overlay using passed dir as upper one
  *
@@ -110,6 +129,13 @@ fopivot(char *rw_root, char *ro_root)
 	snprintf(mount_options, sizeof(mount_options), "lowerdir=/,upperdir=%s,workdir=%s",
 		 upperdir, workdir);
 
+	/*
+	 * Initialize SELinux security label on newly created overlay
+	 * filesystem where /upper doesn't yet exist
+	 */
+	if (stat(upperdir, &st))
+		selinux_restorecon(rw_root);
+
 	/*
 	 * Overlay FS v23 and later requires both a upper and
 	 * a work directory, both on the same filesystem, but

libfstools/overlay.c

@@ -189,6 +189,7 @@ switch2jffs(struct volume *v)
 		ULOG_ERR("failed - mount -t jffs2 %s %s: %m\n", v->blk, OVERLAYDIR);
 		return -1;
 	}
+	selinux_restorecon(OVERLAYDIR);
 
 	if (mount("none", "/", NULL, MS_NOATIME | MS_REMOUNT, 0)) {
 		ULOG_ERR("failed - mount -o remount,ro none: %m\n");