Add a special value for rootcontext=, namely `@target`, to set the root context of the new filesystem to the current context of the target mountpoint. Useful for in-memory filesystems, like tmpfs and ramfs. Closes: https://github.com/util-linux/util-linux/issues/1830 --- Pull-Request: https://github.com/util-linux/util-linux/pull/1876 --- libmount/src/context_mount.c | 18 ++++++++++++++---- sys-utils/mount.8.adoc | 2 +- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/libmount/src/context_mount.c b/libmount/src/context_mount.c index 7b897345c..eba64b6c2 100644 --- a/libmount/src/context_mount.c +++ b/libmount/src/context_mount.c @@ -154,7 +154,9 @@ static int fix_optstr(struct libmnt_context *cxt) mnt_reset_iter(&itr, MNT_ITER_FORWARD); while (mnt_optlist_next_opt(ol, &itr, &opt) == 0) { - if (!is_option(mnt_opt_get_name(opt), selinux_options)) + const char *opt_name = mnt_opt_get_name(opt); + + if (!is_option(opt_name, selinux_options)) continue; if (se_rem) rc = mnt_optlist_remove_opt(ol, opt); @@ -162,9 +164,17 @@ static int fix_optstr(struct libmnt_context *cxt) const char *val = mnt_opt_get_value(opt); char *raw = NULL; - rc = selinux_trans_to_raw_context(val, &raw); - if (rc == -1 || !raw) - rc = -EINVAL; + if (strcmp(opt_name, "rootcontext") == 0 && strcmp(val, "@target") == 0) { + rc = getfilecon_raw(cxt->fs->target, &raw); + if (rc <= 0 || !raw) + rc = errno ? -errno : -EINVAL; + else + rc = 0; /* getfilecon_raw(3) returns the size of the extended attribute value */ + } else { + rc = selinux_trans_to_raw_context(val, &raw); + if (rc == -1 || !raw) + rc = -EINVAL; + } if (!rc) rc = mnt_opt_set_quoted_value(opt, raw); if (raw) diff --git a/sys-utils/mount.8.adoc b/sys-utils/mount.8.adoc index 318b2fe23..5948d3389 100644 --- a/sys-utils/mount.8.adoc +++ b/sys-utils/mount.8.adoc @@ -508,7 +508,7 @@ The *fscontext=* option works for all filesystems, regardless of their xattr sup + You can set the default security context for unlabeled files using *defcontext=* option. This overrides the value set for unlabeled files in the policy and requires a filesystem that supports xattr labeling. + -The *rootcontext=* option allows you to explicitly label the root inode of a FS being mounted before that FS or inode becomes visible to userspace. This was found to be useful for things like stateless Linux. +The *rootcontext=* option allows you to explicitly label the root inode of a FS being mounted before that FS or inode becomes visible to userspace. This was found to be useful for things like stateless Linux. The special value *@target* can be used to assign the current context of the target mountpoint location. + Note that the kernel rejects any remount request that includes the context option, *even* when unchanged from the current context. + -- 2.39.2
