[PATCH v2] Add restorecon -x option to not cross FS boundaries

[PATCH v2] Add restorecon -x option to not cross FS boundaries

[Peter Whittaker]

Fixes: https://github.com/SELinuxProject/selinux/issues/208

Signed-off-by: Peter Whittaker <pww@edgekeep.com>
---
 policycoreutils/setfiles/restorecon.8 |  7 +++++++
 policycoreutils/setfiles/setfiles.c   | 13 ++++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index bbfc83fe..0d1930de 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -13,6 +13,7 @@ restorecon \- restore file(s) default SELinux security contexts.
 .RB [ \-F ]
 .RB [ \-W ]
 .RB [ \-I | \-D ]
+.RB [ \-x ]
 .RB [ \-e
 .IR directory ]
 .IR pathname \ ...
@@ -31,6 +32,7 @@ restorecon \- restore file(s) default SELinux security contexts.
 .RB [ \-F ]
 .RB [ \-W ]
 .RB [ \-I | \-D ]
+.RB [ \-x ]
 
 .SH "DESCRIPTION"
 This manual page describes the
@@ -153,6 +155,11 @@ option of GNU
 .B find
 produces input suitable for this mode.
 .TP
+.B \-x
+prevent
+.B restorecon
+from crossing file system boundaries.
+.TP
 .SH "ARGUMENTS"
 .IR pathname \ ...
 The pathname for the file(s) to be relabeled.
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 16bd592c..ed67b5f1 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -43,8 +43,8 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
 {
 	if (iamrestorecon) {
 		fprintf(stderr,
-			"usage:  %s [-iIDFmnprRv0] [-e excludedir] pathname...\n"
-			"usage:  %s [-iIDFmnprRv0] [-e excludedir] -f filename\n",
+			"usage:  %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n"
+			"usage:  %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n",
 			name, name);
 	} else {
 		fprintf(stderr,
@@ -168,7 +168,7 @@ int main(int argc, char **argv)
 	size_t buf_len;
 	const char *base;
 	int errors = 0;
-	const char *ropts = "e:f:hiIDlmno:pqrsvFRW0";
+	const char *ropts = "e:f:hiIDlmno:pqrsvFRW0x";
 	const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0";
 	const char *opts;
 	union selinux_callback cb;
@@ -386,6 +386,13 @@ int main(int argc, char **argv)
 		case '0':
 			null_terminated = 1;
 			break;
+                case 'x':
+                        if (iamrestorecon) {
+				r_opts.xdev = SELINUX_RESTORECON_XDEV;
+                        } else {
+				usage(argv[0]);
+                        }
+                        break;
 		case 'h':
 		case '?':
 			usage(argv[0]);
-- 
2.26.2

Re: [PATCH v2] Add restorecon -x option to not cross FS boundaries

[Stephen Smalley]

On Mon, Jun 8, 2020 at 12:21 PM Peter Whittaker <pww@edgekeep.com> wrote:
>
> Fixes: https://github.com/SELinuxProject/selinux/issues/208
>
> Signed-off-by: Peter Whittaker <pww@edgekeep.com>

Only question I had is about the order of options in the usage and man
pages but that's a nit and doesn't seem
terribly consistent currently.

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Re: [PATCH v2] Add restorecon -x option to not cross FS boundaries

[Peter Whittaker]

Yeah, I wondered about that, couldn't see a reasonable pattern, and
put it in where it seemed, uh, least awkward?

Thanks for your patience on getting this built, it was an education!

P

Peter Whittaker
EdgeKeep Inc.
www.edgekeep.com
+1 613 864 5337
+1 613 864 KEEP


On Tue, Jun 9, 2020 at 7:56 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Mon, Jun 8, 2020 at 12:21 PM Peter Whittaker <pww@edgekeep.com> wrote:
> >
> > Fixes: https://github.com/SELinuxProject/selinux/issues/208
> >
> > Signed-off-by: Peter Whittaker <pww@edgekeep.com>
>
> Only question I had is about the order of options in the usage and man
> pages but that's a nit and doesn't seem
> terribly consistent currently.
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Re: [PATCH v2] Add restorecon -x option to not cross FS boundaries

[Petr Lautrbach]

[-- Attachment #1: Type: text/plain, Size: 945 bytes --]

On Tue, Jun 09, 2020 at 10:29:30AM -0400, Peter Whittaker wrote:
> Yeah, I wondered about that, couldn't see a reasonable pattern, and
> put it in where it seemed, uh, least awkward?
> 
> Thanks for your patience on getting this built, it was an education!
> 

Applied, thanks!


>
> Peter Whittaker
> EdgeKeep Inc.
> www.edgekeep.com
> +1 613 864 5337
> +1 613 864 KEEP
> 
> 
> On Tue, Jun 9, 2020 at 7:56 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Mon, Jun 8, 2020 at 12:21 PM Peter Whittaker <pww@edgekeep.com> wrote:
> > >
> > > Fixes: https://github.com/SELinuxProject/selinux/issues/208
> > >
> > > Signed-off-by: Peter Whittaker <pww@edgekeep.com>
> >
> > Only question I had is about the order of options in the usage and man
> > pages but that's a nit and doesn't seem
> > terribly consistent currently.
> >
> > Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]