mac: rework labelling code to be simpler, and less racy

This merges the various labelling calls into a single label_fix_full(),
which can operate on paths, on inode fds, and in a dirfd/fname style
(i.e. like openat()). It also systematically separates the path to look
up in the db from the path we actually use to reference the inode to
relabel.

This then ports tmpfiles over to labelling by fd. This should make the
code a bit less racy, as we'll try hard to always operate on the very
same inode, pinning it via an fd.

User-visibly the behaviour should not change.

1 files changed, 1 insertions, 9 deletions

diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h
index a9ddbfc653..e9771a28fe 100644
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@@ -24,15 +24,7 @@ int mac_selinux_init(void);
 void mac_selinux_maybe_reload(void);
 void mac_selinux_finish(void);
 
-int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFixFlags flags);
-static inline int mac_selinux_fix(const char *path, LabelFixFlags flags) {
-        return mac_selinux_fix_container(path, path, flags);
-}
-
-int mac_selinux_fix_container_fd(int fd, const char *path, const char *inside_path, LabelFixFlags flags);
-static inline int mac_selinux_fix_fd(int fd, const char *path, LabelFixFlags flags) {
-        return mac_selinux_fix_container_fd(fd, path, path, flags);
-}
+int mac_selinux_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags);
 
 int mac_selinux_apply(const char *path, const char *label);
 int mac_selinux_apply_fd(int fd, const char *path, const char *label);