From 03bc11d1c491d6b8fed1e43c2929790d004d7367 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 8 Jul 2022 10:05:57 +0200 Subject: mac: rework labelling code to be simpler, and less racy This merges the various labelling calls into a single label_fix_full(), which can operate on paths, on inode fds, and in a dirfd/fname style (i.e. like openat()). It also systematically separates the path to look up in the db from the path we actually use to reference the inode to relabel. This then ports tmpfiles over to labelling by fd. This should make the code a bit less racy, as we'll try hard to always operate on the very same inode, pinning it via an fd. User-visibly the behaviour should not change. --- src/udev/udev-node.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/udev/udev-node.c') diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index c9f58e8c29..bb34977d97 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -677,7 +677,7 @@ static int udev_node_apply_permissions_impl( /* set the defaults */ if (!selinux) - (void) mac_selinux_fix_fd(node_fd, devnode, LABEL_IGNORE_ENOENT); + (void) mac_selinux_fix_full(node_fd, NULL, devnode, LABEL_IGNORE_ENOENT); if (!smack) (void) mac_smack_apply_fd(node_fd, SMACK_ATTR_ACCESS, NULL); } -- cgit v1.2.3